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CLEAR  CHOICE 

WLAN  MANAGEMENJUmwmk^^ 

Cloud-based  services 
navigate  the  maze 

Aerohive,  D-Link  and  Meraki  deliver 
enticing  alternatives  to  on-site 
management.  Page  24  ► 


Cisco’s  resolve 
unflagging  despite 
looming  layoffs 

BY  JIM  DUFFY 

LAS  VEGAS  —  Despite  the  specter 
of  perhaps  the  largest  layoff  in  Cisco’s 
history  overhanging  its  annual  cus¬ 
tomer  conference,  the  company  last 
week  conducted  business  pretty  much 
as  usual  at  Cisco  Live! 

The  conference,  attended  physically 
by  15,000  and  virtually  by  40,000, 
was  heavy  on  topics  such  as  data  cen¬ 
ter,  cloud,  and  Cisco’s  moves  to  correct 
the  mistakes  of  recent  quarters  and 
years.  Indeed,  CEO  John  Chambers’ 
keynote  was  almost  contrite  in  tone  as  he  sought  to  reas¬ 
sure  customers  that  Cisco  will  come  through  its  current 
challenges  stronger  and  more  resolute  in  every  aspect  of 
the  company. 

►  See  Cisco,  page  12 
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Microsoft  touts 
Windows  8  promise, 
Skype/Lync  pairing 


BYJON  BRODKIN 

MICROSOFT’S  ANNUAL  partner  conference  last  week  fea¬ 
tured  previews  of  the  Windows  8  server  and  desktop  operat¬ 
ing  systems,  talk  of  integration  between  Skype  and  Lync,  and 
a  barrage  of  insults  aimed  at  the  company’s  competitors. 

While  Microsoft  CEO  Steve  Ballmer  scoffed  at  Apple’s 
Mac  sales  numbers  compared  to  the  400  million  Windows 
7  licenses  sold,  Microsoft  COO  Kevin  Turner  bashed  Google, 
Cisco,  IBM,  Oracle  and  VMware. 

Office  365  is  “nothing  but  a  Google  butt-kicker,”  while 
IBM’s  Lotus  Notes  is  hemorrhaging  customers  to  Micro¬ 
soft,  and  Cisco’s  unified  communications  product,  Oracle’s 

►  See  Microsoft, page  16 


POWER: 

3x  faster. 

Check. 

As  low  as 

1/3  the  price. 
Mate. 

Which  database  has  the  right  moves?  DB2®  on  Power  Systems™  performs 
three  times  faster  per  core  than  Oracle  Database  on  SPARC— based  on 
both  TPC-C  and  SAP®  SD  benchmarks*  Yet  the  price  of  DB2  is  as  low  as 
1/3  the  price  of  Oracle  Database.**  Maybe  that’s  why  in  2010  over  1,000 
Oracle  Database  clients  chose  DB2  instead.  Game  over. 
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FROM  THE  EDITOR  KEITH  SHAW 

Vacation,  all  we 
ever  wanted 

Our  esteemed  editor-in-chief,  John  Dix,  was 

on  vacation  this  week,  and  that’s  a  good  thing.  Not 
just  because  I  get  to  take  his  place  on  this  page,  but 
because  taking  a  vacation 
—  whether  you’re  a  regular 
employee  or  president  of  the 
company  —  is  a  good  idea. 

You’d  think  that  was  obvious,  but  growing  research 
says  that  many  workers  in  the  U.S.  are  not  getting  that 
message.  In  a  recent  study  by  CareerBuilder.com,  work¬ 
ers  reported  that  they  are  not  taking  vacations  —  and  if 
they  are,  they’re  taking  work  with  them,  which  hardly 
qualifies  as  “getting  away  from  it  all.”  In  the  survey: 

•  30%  of  workers  plan  to  take  the  office  with  them  and  work  while  on  vacation. 

•  30%  said  they  will  contact  work  while  on  vacation,  up  from  25%  in  2010. 

•  24%  said  they  can’t  afford  to  take  a  vacation  this  year,  up  from  21%  in  2010. 

•  16%  said  they  gave  up  vacation  days  in  2010  because  they  didn’t  have  time  to 
use  them. 

In  a  separate  poll  by  Regus  (provider  of  workplace  facilities),  66%  of  survey 
respondents  said  they  will  check  and  respond  to  email  during  their  time  off,  and 
29%  expect  to  attend  meetings  virtually  while  on  vacation. 

Advances  in  technology  have  made  it  possible  for  workers  to  bring  gadgets  along 
with  them  on  vacation  so  they  can  stay  connected,  and  for  IT  staffs  that  can  be  a 
blessing  and  a  curse.  Since  employees  can  still  work  while  they’re  away  from  the 
office  (for  example,  performing  equipment  resets  via  their  smartphone),  this  doesn’t 
give  them  a  chance  to  really  relax  and  forget  about  what’s  going  on  back  at  the  office. 

It’s  also  not  healthy  for  a  business  to  be  reliant  on  just  one  person  who  may  feel 
too  important  to  take  any  vacation  time.  Not  just  because  of  the  health  concerns 
for  that  one  person,  but  from  a  security  standpoint,  as  well.  In  addition  to  making 
sure  employees  take  vacations,  make  sure  there  are  backup  and  contingency  plans 
for  covering  that  employee’s  work.  The  plan  needs  to  be  more  than,  “We’ll  just  call 
when  something  breaks.” 

Vacations  over  the  summer  can  be  tricky  for  IT  groups,  which  tend  to  use  the 
time  for  upgrades  and  other  maintenance  projects,  mainly  because  other  employ¬ 
ees  at  the  company  are  often  taking  their  own  vacations.  If  your  company  uses 
summer  for  these  purposes,  it’s  even  more  important  to  have  your  staff  take  vaca¬ 
tions  in  the  fall  or  spring,  to  prevent  burnout  and  other  health  issues. 

Many  tech  departments  are  considering  mandatory  vacations  as  a  best  practice, 
which  may  rub  employees  the  wrong  way,  especially  those  Type-A  staffers  who 
say  they  don’t  need  a  vacation  or  who  think  they  are  too  valuable.  But  the  benefits 
to  the  company  (and  the  employee)  far  outweigh  these  concerns. 

Again,  you’d  think  this  was  obvious,  but  one  in  three  workers  are  still  not  getting 
the  message. 
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Google+:  Beta,  not  1.0 

©  I’M  FEELING  THAT  Google+ is  now  in 
its  invite-only  beta  mode,  working  out 
those  kinks  and  seeing  what  Google 
has  missed.  Which  is  the  reason  for  not 
unleashing  it  upon  the  world  (Re:  “Giv¬ 
ing  Google  a  B-minus  for  Plus”;  tinyurl. 
com/66u5nw3). 

The  fact  that  the  beta  is  getting  this 
much  attention  is  a  good  thing,  but 
Google’s  releases  have  a  history  of  getting 
hyped  and  then  appearing  so  much  later 
that  people  don’t  take  them  on. 

Facebook  has  had  a  seven-year  head 
start  on  this  platform  and  Google+  needs  to 
work  well  for  people  to  not  just  abandon  it 
immediately,  so  by  Google  slowly  bringing 
people  in  and  letting  them  add  people  and 
controlling  the  influx  and  reading  people’s 
comments  and  feedback,  it’s  balancing  a 
good  experience  with  growth  rate. 

Google  has  to  play 
this  very  carefully.  Too 
many  people  on  an 
incomplete  experience, 
it  fails;  not  enough 
people,  it  never  gets  off 
the  ground. 

Anon 

©THE  IDEA  OF  having 
“Circles”  of  friends 
is  what  is  really  the 
largest  drawback  of 
Facebook  and  the 
best  selling  feature 
of  Google+.  That  very 
point  has  been  my 
beef  with  Facebook, 
all  the  way  from  the 
beginning. 

The  Facebook  social  model  is  inher¬ 
ently  flawed  because  it  breaks  the 
privacy  model  of  the  natural  contexts 
humans  use  in  the  relationships  of  their 
lives.  Really,  it  is  not  natural  or  comfort¬ 
able  having  people  I  knew  way  back  from 
high  school,  plus  people  from  my  current 
job,  plus  my  casual  acquaintances  and 
good  friends,  plus  family  members,  plus 
my  parents  and  plus  everyone  else  from 
various  time  periods  from  my  life  all  in 
the  same  room  with  me  at  the  same  time 
—  sharing  bits  of  personal  data  with  all  of 
them  at  once,  and  all  of  them  comment¬ 
ing  on  it  and  each  other. 

Now  maybe  Google+  can  bail  me  out. 

Dallas 


Only  now? 

©  I  AM  CURIOUS  why  only  now  the  IETF 
is  looking  at  home  networking  issues  for 
IPv6  (Re:  “IETF  mulls  IPv6  for  home  net¬ 
working”;  tinyurl.com/6dfyp2b).  Home 
networking  has  been  a  major  issue  since  at 
least  2001  when  broadband  really  started 
to  take  off  and  we  all  had  to  share  one  IP 
address  in  the  house.  The  fact  that  this 
issue  is  only  being  researched  now  tells 
me  it  will  definitely  be  many  more  years 
before  IPv6  gets  a  foothold  in  the  home. 

Aardvark 

Corporate  smartphone  use 
requires  integration 

©  IT’S  NOT  SURPRISING  thatiPhones 
are  used  primarily  for  games  —  the 
integration  is  lacking  at  many  companies 
to  permit  iPhones  to  interact  with  their 
corporate  resources.  Many  companies 
have  minimal  integra¬ 
tion  to  email  only  at  the 
moment  due  to  the  rela¬ 
tive  risk  of  introducing 
full  access  to  corporate 
systems  to  these  devices. 
This  will  change  —  but  it 
will  take  time  (Re:  “And 
the  killer  smartphone 
app  is . . .  games!”  tinyurl. 
com/6gmwrke). 

Contrast  this  with 
BlackBerry,  which  was 
once  the  only  rational 
choice  that  met  enter¬ 
prise  needs.  BlackBer- 
ries  were  purchased  by 
users  for  the  ability  to 
handle  their  email.  Later 
apps  came,  and  since 
this  device  didn’t  have  consumer  mind- 
share,  the  game  use  lagged  behind  and  few 
users  purchased  their  own  device. 

This  delta  in  how  the  devices  are  pro¬ 
cured  and  how  the  devices  evolved  makes 
it  easy  to  see  why  games  are  the  most 
popular  apps—  but  doesn’t  prove  any¬ 
thing  with  respect  to  how  useful  these  are 
in  companies  with  good  integration.  As 
the  security  models  mature  expect  to  see 
more  business-critical  apps  emerge,  but 
don’t  expect  business  use  to  overshadow 
consumer  use  —  each  vertical  may  some 
day  have  great  penetration  but  the  com¬ 
mon  application  across  all  verticals  is 
going  to  be  entertainment. 

Anonymous 


Too  many 
people  on  an 
incomplete 
experience, 
it  fails;  not 
enough  people, 
it  never  gets 
off  the  ground. 
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1&1  DUAL  HOSTING 


No  other  web  host  offers 
more  expertise,  know¬ 
how  and  quality  service 
than  1&1. 


/  Double  Security: 

Your  website  is  simultaneously 
hosted  in  2  locations  in  our 
high  tech  data  center! 

High-speed 
Global  Network: 

210  GBit/s  Connectivity 

^  Environmentally 
Responsible: 

100%  Renewable  Energy 


Solid  Technical 
Foundation: 

1,000  In-house  Developers 


SUMMER  SPECIAL:  1&1  DUAL  ADVANCED  PACKAGE 

1  YEAR  FREE! 


■  2  FREE  Domains 

■  FREE  Private  Domain  Registration 

■  DNS  Management 

■  500  E-mail  Accounts 


■  150  GB  Web  Space 

■  DNS  Management 

■  50  FTP  Accounts 

■  1&1  SiteAnalytics 


■  ASP,  .NET,  AJAX,  LINQ,  PHP5,  Perl,  SSI 
M  5  Microsoft®  SQL  Databases 

■  Mobile  Website  Optimization  Software 
B  24/7  Toll-free  Customer  Support 


Need  more  domains? 

.COm  with  FREE  Private  Registration  just  $4. 99/first  year." 


MEMBER  OF 


united 
I  internet! 


Is  1-877-GO-1AND1  www.1and1.com 

□  1-855-CA-1AND1  www.1and1.ca 


Dual  Advanced  offer  valid  through  July  31,  2011.  24  month  minimum  contract  term  required.  Set-up  fee  and'other  tends  and  conditions  may  apply,  .com  offpr  valid  for  a  limited  time  only. 
After  first  year,  standard  pricing  applies.  Visit  www.1and1.com  for  full  promotional  offer  details.  Program  and  .pricing  specifications  and  availability  subject  to  change  without  notice.  1&1  and  the 
1&1  logo  are  trademarks  of  1&1  Internet  AG,  all  other  trademarks  are  the  property  of  their  respective  owners.  ©  2011  1&1  Internet,  Inc..  All  rights  reserved, 
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Amazon  finds  Kindle 
3G  sugar  daddy 

AMAZON  HAS  ANNOUNCED  that  AT&T  is  sponsoring  a 
version  of  its  Kindle  3G  under  an  agreement  that  will  enable 
customers  to  buy  the  e-reader  for  $139  if  they’re  willing  to 
put  up  with  the  carrier’s  ads  on  the  home  screen  and  screen 
saver.  That’s  $25  less  than  the  previous  Kindle  3G  with  Special 
Offers  price  and  $50  less  than  the  regular  retail  version  of  the 
e-reader.  An  ad-supported  Wi-Fi  Kindle  costs  $115.  Amazon/ 

AT&T  cover  the  cost  of  always-on  wireless  connectivity,  which 
means  customers  don’t  need  to  hunt  for  Wi-Fi  hotspots  or  pay 
monthly  wireless  fees/annual  contract  fees  to  access  books 
and  magazines  to  read  on  the  6-inch  device,  which  can  hold  up 
to  3,500  books  tinyurl.com/6laqjz5 
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'Depraved' Wi-Fi 
hacker  sentenced 


Vice  President  Joe  Biden.  Called 
a  “depraved  criminal”  by  pros¬ 
ecutors,  a  46-year-old  father  of 
two,  was  sentenced  last  week, 
not  for  Wi-Fi  hacking  but  for  the 
threats,  identity  theft  and  child 
pornography  that  followed  in 
its  wake,  all  directed  against 
a  young  couple,  Matt  and 
Bethany  Kostolnik  of  Blaine, 
Minn.,  and  their  children.  “My 
husband  and  I  had  to  explain  to 
our  young,  innocent  children 
way  too  early  that  there  are 
evil  people  in  the  world  —  and 
to  never  go  in  Barry  Ardolf ’s 
yard,”  Bethany  Kostolnik  told 
U.S.  District  Judge  Donovan 
Frank,  tinyurl.com/6cjx8vt 


A  MINNESOTA  man  has  been 
sentenced  to  18  years  in  prison 
after  he  hacked  a  neighbor’s 
Wi-Fi  router  and  then  launched 
a  vengeful  two-year  campaign 
to  frame  them  with  child 
pornography  and  threats  to 
government  officials,  including 


VMware 
touts  cloud 
infrastructure 

SETTING  THE  stage  for 
cloud  deployments,  VMware 
will  update  many  of  its  core 


products  and  bundle  them  into 
an  integrated  release,  called  the 
Cloud  Infrastructure  Suite,  the 
company  announced  last  week. 
The  idea  is  to  let  organizations 
set  up  an  infrastructure  that 
will  let  them  make  use  of  hosted 
cloud  services,  said  VMware. 
The  package  includes  new 
versions  of  VMware’s  flag¬ 
ship  vSphere  virtual  machine 
manager,  vCenter  Site  Recovery 
Manager,  the  vShield  security 
framework,  the  vCloud  Director 
management  console  and  a  new 
product,  vSphere  Storage  Appli¬ 
ance.  The  package  also  includes 
vCenter  Operations,  which 
was  released  earlier  this  year. 
tinyurl.  com/6yn3m2g 

Courts  OK  Nortel 
patent  buyout 

U.S.  AND  Canadian  courts 
have  approved  the  sale  of 
thousands  of  patents  from 
bankrupt  Nortel  Networks  to 
a  consortium  including  Apple 
and  Microsoft  for  about  $4.5 
billion.  The  purchasing  group, 
which  also  includes  EMC, 
Ericsson,  Research  In  Motion 
and  Sony,  won  an  auction  for  the 
patents  on  June  30.  Last  week, 
the  U.S.  Bankruptcy  Court  for 
the  District  of  Delaware  and 
the  Ontario  Superior  Court  of 
Justice  approved  the  deal  at  a 
joint  hearing.  Nortel  is  based  in 
Mississauga,  Ontario.  The  port¬ 
folio  includes  more  than  6,000 
patents  and  patent  applications, 
including  ones  covering  data 
networking,  wireless,  opti¬ 
cal,  voice,  semiconductor  and 
service-provider  technologies. 
tinyurl.com/64r3uzh 


Keyboard  skills 
trumping  cursive 

KEYBOARD  TYPING  and  mes¬ 
saging  are  the  way  of  future 
no  doubt  but  at  the  cost  of 
cursive  writing?  That  seems 
to  be  the  trend  as  Indiana  last 
week  became  one  of  a  number 
of  states  that  no  longer  require 
cursive  to  be  taught,  but  rather 
require  typing  skills  instead.  The 
Indiana  move  is  part  of  a  larger 
move  to  a  common  learning 
and  ultimately  testing  program 
known  as  the  Common  Core 
State  Standards  Initiative.  That 
program,  adopted  by  46  state 
governors  in  June  2010,  outlines 
all  manner  of  language  and  math 
education  yardsticks  for  the 
future.  Keyboarding  is  one  of 


IT  Video 

Verizon  center 
spotlights  4G 
projects 

Matt  Hamblen  gets  an 
overview  of  the  Verizon 
Innovation  Center,  which 
opened  its  doors  Tuesday 
in  Waltham,  Mass.  The 
center  allows  companies 
to  collaborate  on  4G  LTE 
wireless  projects  from 
concept  to  market. 

tinyurl.com/6679y2a 
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FCC  to  carriers:  Cram  this 


DeWalt  out 
at  McAfee 


week  appointed 
a  pair  of  new  leaders  to  run 
its  McAfee  subsidiary  after 
David  DeWalt  resigned  as  the 
unit’s  president,  the  company 
said.  The  chip  maker,  which 
completed  the  $7.68  billion 
acquisition  of  McAfee  in 
February,  appointed  co-pres¬ 
idents  Michael  DeCesare  and 
Todd  Gebhart  to  operate  the 
subsidiary.  DeWalt,  who  was 
president  and  CEO  of  McAfee 
prior  to  its  acquisition,  will 

continue  as  a  member 
of  the  McAfee’s 
board  of  direc¬ 
tors,  Intel  said, 
adding  that  “he  is 
pursuing  a  CEO 
|  M  role  at  a  non¬ 
competitive  com¬ 
pany.”  tinyurl. 
com/68to9wt 


the  skills  students  are  expected 
to  master,  cursive  writing  is  not. 
Schools  have  the  option  to  con¬ 
tinue  to  teach  cursive,  tinyurl. 
com/6zdhrxo 


RIM  serves  up 
billionth  app 

RESEARCH  IN  Motion  says 
its  2-year-old  BlackBerry 
App  World  has  crossed  the  1 
billion  app  download  mark 
and  that  a  beta  version  of  the 
app  store  upgrade  is  on  the 
way.  The  news  comes  about  a 


week  after  Apple  crowed  that 
its  3-year-old  App  Store  for 
iPhones  and  iPads  had  passed 
the  IS  billion  app  download 
mark.  Apple  crossed  the  1.5 
billion  app  download  threshold 
about  a  year  after  the  App  Store 
opened,  but  of  course  that  was 
pre-iPad.  Google  recently  said 
its  Android  Market  passed  the 
4.5  billion  app  download  line. 

In  a  blog  post,  RIM  says  its 
BlackBerry  App  World  is  now 
seeing  3  million  app  down¬ 
loads  a  day  on  average.  Those 
downloads  come  from  both 
BlackBerry  phones  as  well  as 
the  new  PlayBook  tablet  com¬ 
puter.  tinyurl.com/66ozf5v 


Anonymous  continues  to 
make  name  for  itself 


ANOTHER  DAY, 

another  Anonymous 
attack.  The  hactivist 
outfit  this  past  week 
added  Monsanto  to 
the  list  of  victims, 
exposing  informa¬ 
tion  about  thousands 
of  employees  and 
affiliates,  as  well  as 
government  contrac¬ 
tor  Booz  Allen  Hamilton, 


which  was  attacked  as  part 

of  a  broader  initiative  that  yielded  some  90,000 
military  emails  and  password  hashes  (Booz 
Allen  confirmed  the  attack,  though  downplayed 
the  amount/type  of  content  exposed).  Also  on 
the  hit  list:  Exxon  Mobil  and  other  petroleum 
companies  whose  policies  Anonymous  is  against. 
Anonymous  and  another  recently  disbanded  hacking 
group,  LulzSec,  have  also  been  attacking  government 
and  law  enforcement  targets  as  part  of  a  campaign 
they  call  "AntiSec." 


New  college  grads 
making  more 

ACCORDING  TO  a 

survey  conducted  by 
the  National  Associa¬ 
tion  of  Colleges  and 
Employers  (NACE), 
starting  salaries 
being  offered  to 
this  year’s  college 
graduates  are  up 
4.8%  over  this  time 
last  year.  Those  with 
computer  science  degrees 
are  doing  just  fine,  too, 
although  a  shade  less  well 
than  their  counterparts 
in  other  disciplines.  From  the 
organization’s  press  release: 

As  a  group,  students  in  the 
computer  science  disciplines 
saw  their  average  offer  rise  4.3 
percent  to  $62,328.  Graduates 
majoring  specifically  in  com¬ 
puter  science  saw  their  average 
salary  offer  increase  3.7  percent 
to  $63,402,  and  the  average 
offer  to  information  sciences 
and  systems  graduates  rose 
4.4  percent  to  $57,499.”  This  is 
the  third  consecutive  quarter 
of  average  salary  growth, 
according  to  NACE.  tinyurl. 
com/66ewyvf 


MORE  PEOPLE  are  bringing  their  own  tablets  and 
smartphones  to  work  but  IT  departments  have  been 
slow  to  support  them  and  may  not  even  be  aware 
of  the  trend,  according  to  a  report  funded  by 
Unisys  and  conducted  by  I  DC.  I  DC  surveyed 
more  than  2,600  information  workers  and  550 
IT  administrators  in  nine  countries  and  found 
that  IT  administrators  aren’t  aware  of  how  many 
people  use  their  own  devices  at  work  and  how  exten¬ 
sively  they  use  those  devices  to  access  corporate 
applications.  "Enterprises  think  they  are  in  control  of 
these  devices,  but  in  fact  they  are  in  control  of  only 
a  small  part  of  their  infrastructure,  with  a  significant 
number  of  employees  going  off  the  grid  in  acquiring 
and  using  their  own  devices,”  IDC  said. 


THE  FCC  has  proposed  new  rules  designed  to  make  it 
more  difficult  for  telephone  carriers  and  other  compa¬ 
nies  to  insert  mystery  fees  onto  customers’  phone 
bills.  The  proposed  rules  would  require  landline 
telephone  carriers  to  notify  customers  at  the 
point  of  sale  and  on  each  bill  of  the  option  to 
block  third-party  charges  on  their  phone  bills. 
The  proposed  rules  would  require  both  landline 
and  mobile  carriers  to  include  notices  on  their 
phone  bills  and  websites  saying  customers  can  file 
complaints  about  mystery  fees  with  the  FCC. 


Consumerization 
of  IT  gone  wild 


www.networkworld.com  JULY  18,  2011  7 


TREND  ANALYSIS 


Who  are  all  these  hacker  groups? 


BYELLENMESSMER 


HACKER  GROUPS  that  attack  or  steal  —  some 
estimates  say  there  are  as  many  as  6,000  of  such 
gi'oups  online  with  about  50,000  “bad  actors” 
around  the  world  drifting  in  and  out  of  them  — 
are  a  threat,  but  the  goals,  methods  and  effective¬ 
ness  of  these  groups  vary  widely. 

When  they’re  angry,  they  hack  into  business 
and  government  systems  to  steal  confidential 
data  in  order  to  expose  information  about  their 
targets,  or  they  simply  disrupt  them  with  denial- 

of-service  (DoS)  attacks.  These  are  the  hackers  with  a  cause,  the  “hacktivists”  like  the  shadowy 
but  well-publicized  Anonymous  or  the  short-lived  Lulz  Security  group  (which  claimed  to  have 
just  six  members  and  just  joined  forces  with  Anonymous). 

Over  the  years,  Anonymous  is  believed  to  have  hit  targets  that  include  the  Church  of  Scientol¬ 
ogy,  the  Support  Online  Hip  Hop  website  and  the  No  Cussing  Club  website,  and  to  have  posted 
pornographic  videos  disguised  as  children’s  videos  onto  YouTube.  It’s  said  to  have  joined  with 
Iranians  protesting  the  results  of  the  June  2009  presidential  election  in  that  country.  It’s  tied 
to  taking  down  the  Australian  prime  minister’s  website  in  2009  because  of  that  government’s 
plans  to  have  ISPs  censor  porn  on  the  Internet.  Anonymous  has  taken  up  the  cause  of  piracy 
activists  fighting  copyright  law  by  launching  DoS  attacks  against  anti-piracy  groups  and  law 
firms.  The  group  is  supporting  WikiLeaks,  which  publishes  confidential  information,  including 
the  U.S.  State  Department  cables  allegedly  leaked  by  U.S.  Army  soldier  Bradley  Manning,  now 
in  a  military  jail  awaiting  trial. 

Anonymous,  perhaps  tied  to  the  Sony  hacking  incidents  of  this  spring,  has  launched  distrib¬ 
uted  denial-of-service  (DDoS)  attacks  against  Amazon,  PayPal,  MasterCard,  Visa  and  others 
when  the  card-payment  groups  refused  to  process  donations  to  WikiLeaks.  Anonymous  has 
sprung  into  conflicts,  such  as  this  year’s  uprisings  in  the  Middle  East,  hitting  the  websites  of  the 
Tunisian,  Egyptian  and  Libyan  governments.  The  group  recently  let  the  world  know  its  chief 
focus  these  days  is  going  to  be  targeting  governments  and  corporations. 

But  hacktivists  like  Anonymous  are  just  one  type  of  hacker  group.  Others  are  out  for  financial 
gain,  organized  to  steal  payment-card  numbers  and  personal  financial  data  or  to  pillage  bank 
accounts.  And  there  are  groups  that  focus  on  intellectual-property  theft  or  steal  valuable  infor¬ 
mation  for  national  interests,  money,  or  both. 

Here’s  a  look  at  what’s  known  about  some  of  them  —  including  the  ones  that  unlike  the  hack¬ 
tivists,  seldom  tweet  the  world  about  what  they  do. 


The  ZeuS  gangs:  The  malware  called 
ZeuS  is  designed  to  plunder  victims’  PCs  to 
steal  financial  information  and  execute  fraud¬ 
ulent  high-dollar  Automated  Clearing  House 
(ACH)  transfers  in  corporate  bank  accounts, 
resulting  in  many  millions  of  dollars  in  fraud 
against  businesses,  church  groups  and  gov¬ 
ernment  agencies. 

The  FBI  and  international  law-enforcement 
partners  in  the  United  Kingdom,  the  Nether¬ 
lands  and  the  Ukraine  managed  to  disrupt 
one  of  the  six  main  ZeuS  hacker  groups  last 
fall  in  a  sweep  that  netted  about  100  sus¬ 
pects  tied  to  $70  million  in  U.S.  bank  heists. 
But  the  leader  of  what’s  called  “JabberZeuS” 
(because  the  specific  variant  of  ZeuS  used 
Jabber  instant  message  to  tell  gang  members 
when  a  victim’s  online  banking  credentials 
were  stolen)  is  still  believed  to  remain  at  large. 
And  according  to  Don  Jackson,  senior  secu¬ 
rity  researcher  at  Dell  Secure  Works,  which 


has  worked  with  businesses  and  the  FBI, 
there  are  still  five  other  separate  ZeuS  hacker 
groups  very  active  across  the  world.  These 
Zeus  hacker  groups  have  now  been  connected 
to  a  billion  dollars  in  losses,  says  Jackson. 

Dogma  Millions:  This  group,  largely 
Russian,  runs  what’s  known  as  a  “pay-per- 
install”  operation  to  get  victims  to  download 
malware  they’ve  designed.  The  group  is 
believed  to  have  hundreds  of  “affiliates”  that 
get  paid  when  a  malicious  file  is  installed  on  a 
victim’s  machine.  Dogma  Millions  is  known 
to  have  developed  specialized  software  pack¬ 
ers  and  protectors  such  as  rootkits  to  ensure 
its  malware. 

The  Chinese  hacker  puzzle:  with 

a  growing  number  of  cyberattacks  traced 
back  to  mainland  China,  there’s  a  lot  of  inter¬ 
est  in  hacker  groups  there,  with  speculation 
that  there  are  many  dozens  of  them.  Secu¬ 
rity  firm  McAfee  earlier  this  year  released  a 


report  called  “Night  Dragon,”  which  claimed 
hacker  groups  from  China  work  regular- 
hour  shifts  to  try  to  break  into  oil  companies 
to  steal  data. 

Over  the  years,  the  more  famous  China 
hacker  groups  have  included  Janker,  founded 
by  Wang  Xianbing,  and  the  Green  Army 
Corps,  founded  by  Gong  Wei,  according  to 
researcher  Scott  Henderson,  who  runs  the 
website  Dark  Visitor.  Although  there  is  no 
shortage  of  suspicion  in  the  U.S.  that  Chinese 
hackers  have  at  times  worked  for  the  Chinese 
government  to  steal  secrets  from  the  U.S. 
and  from  U.S. -based  businesses,  there  are 
also  times  when  Chinese  authorities  have 
taken  steps  to  shut  down  hacker  groups.  For 
instance,  reports  said  police  last  year  in  Hubei 
province  went  after  hacker  group  Black  Hawk 
Safety  Net  and  its  website  that  was  providing 
Trojan-based  malware. 

Over  the  years,  others  such  as  the  Network 
Crack  Program  Hacker  Group  based  out  of 
Zigong  have  been  identified.  The  group  used 
a  rootkit  called  GinWui  in  attacks  on  the  U.S. 
Department  of  Defense,  other  U.S.  agencies 
and  Japan  about  five  years  ago.  GinWui  is 
thought  to  have  been  developed  by  the  group’s 
leader,  Tan  Dailin,  who  has  used  the  handle 
Wicked  Rose  and  later  Withered  Rose. 

The  Network  Crack  Program  Hacker 
Group  is  believed  to  have  transmitted  a  large 
number  of  documents  to  China  from  the 
U.S.  But  when  Dailin  launched  DoS  attacks 
against  other  Chinese  hacker  groups,  includ¬ 
ing  Hackbase,  3800hk  and  HackerXfiles, 
these  hacker  groups  went  to  Chinese  authori¬ 
ties,  which  arrested  Dailin  in  2009.  He  now 
faces  more  than  seven  years  in  prison. 

Inj3ct0r  Team:  Some  hacker  groups, 
particularly  the  hacktivists,  are  inclined  to 
make  their  exploits  public  by  announcing 
them  online  in  some  way  or  dumping  con¬ 
tents  they’ve  stolen  as  proof  of  their  prow¬ 
ess.  Recently,  a  group  called  Inj3ctOr  Team 
claimed  it  had  compromised  a  server  belong¬ 
ing  to  NATO. 

When  contacted  by  IDG,  the  group  said  the 
files  were  a  “server  backup,  confidential  data.” 

According  to  IDG,  “inside  the  files  was 
a  notepad  document  dated  July  3  that  said: 
‘NATO  lamers!  I’ve  been  watching  you  day 
and  night  since  then!  WOOt!  Your  Machines 
rooted !  Servers  restored  to  default!  what  else! 
[Expletive  deleted]  you  and  your  crimes!  And 
soon  enough  all  your  stupid  ideas  will  be  pub¬ 
lished  on  WikiLeaks!”’  One  industry  source 
asked  about  Inj3ctOr  Team  says  the  group 
started  as  one  individual  who  began  finding 
vulnerabilities  in  websites  and  publicizing 
them,  and  then  attracted  a  following.  ■ 
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Over  400  highly  logical  reasons  to  choose  IBM  WebSphere  over  Oracle  WebLogic' 
1.  Save  57%  on  first-year  licensing  and  support. 
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2.  Choose  from  more  virtualization  options  (including  VMware  and  Xenj. 


3.  Pay  only  for  cores  you  use  (not  always  true  with  Oracle  WebLogic). 
4-404.  Be  in  good  company  (last  year,  over  400  Oracle  WebLogic  clients 
chose  IBM  WebSphere). 
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server  (2  chips.  8  cores  each).  IBM,  the  IBM  logo,  ibm.com,  WebSphere.  Smarter  Planet  and  the  planet  icon  are  trademarks  ot  IhternatibStat  Susiness  Machines  Corp,  registered  iii  (nahy  jurisdictions  worldwide.  Other  product 
and  service  names  might  be  trademarks  of  IBM  or  other  companies.  A  current  list  of  IBM  trademarks  is  available  on  the  Web  at  wvyw.ifanitorjn/iegal/copytrade.shtnl.  ,<©  International  Business  Machifies  Corporation  201 1. 
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SPECIAL  FOCUS 


Getting  at  the  real  truth  about  IPv6 


BY  CAROLYN  DUFFY  MARSAN 

IS  2012  the  year  to  invest  in  IPv6? 

That’s  what  CIOs  want  to  know  as  they  plan 
their  IT  budgets  for  the  next  fiscal  year.  They 
need  to  decide  if  they  are  going  to  set  aside 
funds  to  deploy  this  emerging  Internet  stan¬ 
dard  and  how  much  it  will  cost  to  upgrade 
their  hardware  and  software. 

The  short  answer  to  that  question  is:  yes. 

The  conventional  wisdom  in  the  Internet 
industry  is  that  CIOs  need  to  invest  in  IPv6 
during  2012  or  they  will  put  the  growth  plans 
for  their  online  businesses  at  risk.  This  is 
because  an  increasing  number  of  new  mobile 
and  broadband  subscribers  worldwide  will 
be  given  IPv6  addresses  starting  in  2012. 

“For  an  enterprise,  it’s  a  safe  assumption 
to  make  that  if  you  start  today  to  do  a  design 
assessment  and  your  addressing  plan,  you 
can  plan  for  an  IPv6  deployment  in  the  first 
half  of  2012,”  says  Alain  Fiocco,  who  leads  the 
IPv6  program  at  Cisco.  “2012  is  when  you’re 
going  to  see  some  measurable  percentage  of 
users  on  IPv6.” 

Two  recent  events  have  demonstrated 
to  CIOs  around  the  world  that  the  need  for 
IPv6  is  both  real  and  imminent:  The  free  pool 
of  available  IP  addresses  using  the  current 
protocol,  IPv4,  was  depleted  in  February, 
and  most  IPv4  addresses  in  the  Asia  Pacific 
region  were  distributed  to  carriers  in  April. 

Meanwhile,  IPv6  has  proven  itself  ready 
for  deployment.  On  June  8,  more  than  400 
of  the  Internet’s  largest  players,  including 
Google,  Facebook  and  Yahoo,  participated  in 
a  24-hour  trial  of  IPv6  dubbed  World  IPv6 
Day.  No  major  outages,  security  breaches 
or  performance  degradation  were  reported 
during  the  event. 

“There  was  a  lot  of  concern  that  things 
would  be  broken,  but  the  overwhelming 
majority  of  participants  [in  World  IPv6  Day] 
had  a  positive  experience,”  says  Greg  Hankins, 
global  solutions  architect  for  Brocade,  which 
has  supported  IPv6  on  its  website,  email  and 
cus  tomer  support  infrastructure  for  more  than 
a  year.  “I  don’t  think  I’ve  seen  a  single  horror 
story  or  really  negative  implementation  expe¬ 
rience  from  anyone,  which  speaks  a  lot  about 
the  maturity  of  IPv6  and  the  maturity  of  IPv6 
implementations  by  various  switching,  rout¬ 
ing  and  appliance  vendors.” 

An  estimated  20%  of  World  IPv6  Day  par¬ 
ticipants  had  such  a  positive  experience  with 
the  new  protocol  that  they  left  it  up  and  run¬ 
ning  on  their  public-facing  websites  after  the 
experiment  was  over.  For  example,  Blue  Coat 
left  IPv6  enabled  on  its  main  website,  and 


Cisco  left  IPv6  enabled 
on  its  www.scansafe.com 
website. 

“We  had  a  little  over 
1%  of  our  users  and  traf¬ 
fic,  our  unique  visitors, 
coming  to  the  cisco.com 
website  over  IPv6.  That’s 
pretty  consistent  with 
the  rest  of  the  industry,” 

Fiocco  says.  “That  repre¬ 
sents  a  couple  of  tens  of 
thousands  of  unique  vis¬ 
itors  in  24  hours.  None  of 
them  had  any  big,  serious 
problems. ...  For  users  in 
the  U.S.,  performance  in 
IPv6  was  exactly  equiva¬ 
lent  to  IPv4.” 

The  only  disappoint¬ 
ment  for  Cisco  was  that  it  was  expecting  2%  of 
its  overall  traffic  at  www.cisco.com  to  be  IPv6 
on  World  IPv6  Day  instead  of  1%.  “That’s 
probably  something  we  need  to  focus  on  for 
the  next  phase:  working  with  the  ISPs  so  that 
they  enable  the  eyeballs,”  Fiocco  says. 

IPv6  explained 

IPv6  solves  the  problem  of  IPv4  address 
depletion  by  offering  a  virtually  limitless  pool 
of  IP  addresses  that  can  be  used  by  comput¬ 
ers,  smartphones,  home  appliances,  gaming 
devices  and  all  sorts  of  sensors  and  actuators 
that  have  yet  to  be  invented.  IPv4  uses  32-bit 
addresses  and  can  support  4.3  billion  devices 
connected  directly  to  the  Internet.  IPv6,  on 
the  other  hand,  uses  128-bit  addresses  and 
supports  2  to  the  128th  power  devices. 

One  problem  is  that  IPv6  is  not  backward 
compatible  with  IPv4.  So  network  operators 
and  content  providers  must  support  both  pro¬ 
tocols  in  a  side-by-side  configuration  known 
as  dual  stack.  Most  carriers  and  enterprises 
will  solve  that  problem  by  deploying  network 
address  translation  (NAT)  devices,  which 
convert  inbound  IPv6  traffic  into  IPv4  traffic 
so  IPv6-based  users  can  access  existing  IPv4- 
based  content  and  services. 

Another  problem  is  that  few  Internet  users 
have  IPv6  access  today.  This  was  evident  on 
World  IPv6  Day,  which  was  a  success  for  par¬ 
ticipating  content  providers  but  failed  to  draw 
as  much  IPv6  traffic  as  planners  had  hoped. 
The  percentage  of  overall  Internet  traffic  sup¬ 
porting  IPv6  doubled  on  World  IPv6  Day,  but 
it  still  failed  to  reach  even  a  quarter  of  1%  of 
Internet  traffic,  Arbor  Networks  says. 

“There  isn’t  a  lot  of  access  ability  for  cus¬ 
tomers,  for  subscribers  or  individuals,  to 


give  them  a  direct  IPv6 
globally  scoped  address 
to  get  them  to  IPv6  con¬ 
tent,”  says  Rob  Malan, 
co-founder  and  CTO 
of  Arbor  Networks. 
“Almost  all  IPv6  traf¬ 
fic  gets  converted  and 
then  goes  to  the  IPv4 
content.” 

One  of  the  key  issues 
for  CIOs  to  monitor  is 
the  rate  at  which  wire¬ 
less  and  broadband  car¬ 
riers  provide  their  new 
subscribers  with  IPv6 
addresses.  A  major 
driver  for  IPv6  is  Veri¬ 
zon’s  new  LTE  network, 
which  requires  that  all 
devices  support  IPv6.  Meanwhile,  Comcast, 
Time  Warner  Cable,  Cox  Communications 
and  other  U.S.  broadband  providers  have 
ongoing  IPv6  trials.  These  carriers  will  give 
IPv6  addresses  to  their  new  customers,  but  it 
will  be  a  long  time  before  they  upgrade  all  of 
their  existing  customers  to  IPv6.  So  content 
providers  must  support  both  protocols  for  the 
foreseeable  future. 

“The  content  side  is  the  easy  side  of  the 
problem.  The  harder  question  is:  How  soon 
will  you  have  a  massive  amount  of  IPv6  cli¬ 
ents  who  need  to  get  to  you?”  Malan  says. 
“Think  about  the  Linksys  modem  in  your 
house.  There  are  oodles  of  crusty  old  stuff  out 
there  that  needs  to  get  upgraded.  That  prob¬ 
lem  is  hard  and  expensive.” 

Experts  agree  that  CIOs  need  to  tread  care¬ 
fully  where  IPv6  is  concerned.  For  now,  they 
only  need  to  worry  about  IPv6-enabling  their 
public-facing  websites  and  Web  services. 
They  don’t  need  to  worry  about  upgrading 
anything  behind  the  firewall  on  their  private 
corporate  networks. 

The  drop-dead  deadline  for  IPv6 

When  do  a  company’s  public-facing  websites 
and  services  need  to  be  IPv6-enabled  in  order 
to  prevent  them  from  being  unreachable  to 
Internet  users  with  IPv6  addresses?  Nobody 
knows  for  sure  when  a  significant  number  of 
IPv6-only  users  will  emerge,  but  experts  say 
this  upgrade  needs  to  be  done  within  the  next 
18  months. 

John  Curran,  president  of  the  American 
Registry  for  Internet  Numbers,  which  doles 
out  IPv4  and  IPv6  addresses  to  network 
operators  in  North  America,  has  said  the 
drop-dead  deadline  for  U.S.  companies  to 
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support  IPv6  on  their  websites  is  Jan.  1, 2012. 

“It  needs  to  be  a  priority  by  the  end  of  the 
year,”  Brocade’s  Hankins  agrees.  “That  coin¬ 
cides  with  ARIN  running  out  of  IPv4  space  by 
the  end  of  the  year  or  early  next  year,  and  it  also 
coincides  with  LTE  deployment.  LTE  is  one 
of  the  major  drivers  for  IPv6  because  they  are 
expected  from  the  beginning  to  use  native  IPv6 
support  in  terms  of  having  users  access  online 
processes.” 

The  U.S.  federal  government  has  established 
Sept.  30,  2012,  as  its  deadline  for  all  public¬ 
facing  government  websites  to  support  IPv6. 
Federal  agencies  have  a  second  deadline  of 
Sept.  30, 2014,  to  upgrade  internal  client  appli¬ 
cations  that  communicate  with  public  Internet 
servers  to  use  native  IPv6. 

Alain  Durand,  director  of  software  engi¬ 
neering  at  Juniper,  says  CIOs  have  at  most 
18  months  to  get  their  Web  content  ready  for 
IPv6-only  customers.  Juniper  offers  a  special- 
purpose  website  for  IPv6  users  —  ipv6.juniper. 
net  —  today,  and  it  supported  IPv6  on  its  main 
website  —  www.juniper.net  —  for  World  IPv6 
Day  using  its  own  routers  and  carrier-grade 
NAT  gear  that  it  calls  translator-in-the-cloud. 

“Starting  to  introduce  IPv6  and  starting  to 
turn  it  on  now  would  be  a  reasonable  thing 
to  do,”  Durand  says,  pointing  out  that  most 
broadband  providers  will  support  both  IPv4 
and  IPv6  for  awhile  into  the  future.  “In  the 
beginning,  IPv6  may  go  through  some  sort  of 
NAT,  then  IPv6  may  go  native  and  IPv4  will 
go  through  some  sort  of  NAT.  The  question  for 
CIOs  is:  When  can  they  offer  a  better  service 
to  their  users  by  offering  content  natively  over 
IPv6? ...  There  comes  a  point  at  which  offering 
content  over  IPv6  offers  a  better  user  experi¬ 
ence  to  customers  and  offers  you  as  a  network 
manager  more  flexibility.” 

Durand  says  he  doesn’t  know  when  CIOs 
will  experience  traffic  management  issues  on 
their  networks  that  will  encourage  them  to 
switch  from  NAT  devices  to  native  IPv6.  One 
worry  is  that  it  will  be  harder  for  network 
operators  to  filter  out  denial-of-service  (DoS) 
attacks  when  NAT  devices  are  used  to  share 
IPv4  addresses  among  multiple  subscribers. 
That’s  the  kind  of  network  management  issue 
that  will  likely  prompt  network  operators  to 
deploy  native  IPv6  service. 

“If  you’re  using  IPv6  natively  or  translator- 
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in-the-cloud,  you  have  access  to  the  originating 
IP  source  and  you  can  filter  out  the  DoS  attack 
on  this  IPv6  address  and  only  remove  the  bad 
guy  without  impacting  the  other  99  or  999 
users,”  Durand  says. 

The  cheapest,  easiest  route  to  IPv6 

Experts  say  CIOs  only  need  to  upgrade  their 
public-facing  websites  and  services  to  support 
IPv6  in  the  near  term.  How  long  that  will  take 
and  how  much  it  will  cost  depends  on  the  size 
and  complexity  of  a  company’s  Web  presence. 

Major  content  providers  like  Google  and 
Yahoo  are  upgrading  their  entire  Web  server 
infrastructures  to  support  IPv6,  including 
Web  servers,  database  servers,  storage,  cach¬ 
ing  and  all  the  software  that’s  used  on  these 
systems.  Yahoo  has  been  working  on  IPv6- 
enabling  its  infrastructure  since  2008  and 
has  said  this  is  the  second-largest  engineering 
effort  for  its  IT  department,  behind  ongoing 
tech  refresh  efforts. 

CIOs  with  smaller  websites  are  likely  to 
choose  an  easier  approach:  adding  an  appli¬ 
ance  such  as  a  proxy,  gateway  or  NAT  device 
to  convert  IPv6  traffic  into  IPv4  for  accessing 
IPv4-based  content.  With  these  appliances, 
companies  don’t  have  to  upgrade  their  Web 
server  infrastructures  but  they  will  need  to 
upgrade  their  network  perimeter  and  routing 
infrastructure  to  support  IPv6  and  they  may 
need  to  support  transit  peering  for  IPv6. 

The  appliance  approach  is  gaining  popular¬ 
ity.  Brocade  uses  its  Serverlron  ADX  Server 
Load  Balancer  and  Blue  Coat  uses  its  IPv6 
Secure  Web  Gateway  to  support  IPv6  on  its 
website.  For  World  IPv6  Day,  Cisco  used  its 
prototype  ACE  Session  Load  Balancer,  Juni¬ 
per  used  its  translator-in-the-cloud  offering 
and  A10  used  its  AX  Series  appliances. 

Enterprises  can  expect  to  spend  tens  or  hun¬ 
dreds  of  thousands  of  dollars  deploying  these 
appliances  at  the  front  end  of  their  websites  to 
support  IPv6,  depending  on  the  scale  of  their 
websites. 

Using  AlO’s  AX  Series  Appliances  with 
Server  Load  Balancing-Protocol  Translation 
to  support  IPv6  on  a  corporate  website  will 
cost  a  company  “anywhere  from  $15,000  to 
$200,000,  depending  on  the  performance  that 
they  need,”  says  Paul  Nicholson,  AlO’s  director 
of  product  marketing. 

An  alternative  is  for  CIOs  to  outsource  their 
Web  content  delivery  to  a  service  provider  like 
Akamai  or  Limelight  Networks,  both  of  which 
are  developing  commercial-grade  IPv6-based 
services  in  the  cloud.  DNS  and  hosting  provid¬ 
ers  also  may  provide  these  translation  services 
for  IT  departments  on  an  outsourced  basis.  ■ 
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►  Cisco,  from  page  1 

“We’re  structuring  Cisco  to  be  leaner, 
drive  innovation  faster,”  Chambers  told  the 
customer  audience.  “We’ve  got  to  be  easier 
to  do  business  with,  include  you  in  driving 
our  product  direction,  share  our  road  maps, 
have  an  easy-to-use  product  portfolio.  But 
innovation  is  the  buzzword  on  where  we’re 
going  to  go.” 

To  get  there,  though,  Cisco  is  expected  to 
cut  between  5,000  and  10,000  jobs  begin¬ 
ning  in  August,  the  first  month  of  its  2012  fis¬ 
cal  year  (Cisco’s  biggest  workforce  reduction 
to  date  took  place  in  2001  when  it  let  8,000 
people  go  during  the  dot-com  bubble).  Cisco 
has  lost  share  and  profits  in  switching,  and 
its  foray  into  consumer  electronics  has  been 
disappointing. 

Many  blame  Cisco’s  current  problems  on 
ambitious  incursions  into  30  or  so  adjacent 
markets  through  145  acquisitions  over  two 
decades  that  distracted  the  company  from  its 
core  routing  and  switching  business.  Cisco 
also  had  a  bloated  management  structure 
that  stalled  decision  making,  delayed  prod¬ 
uct  development  and  slowed  the  company’s 
progress. 

The  upheaval  still  to  come  at  Cisco  did  not 
dilute  the  company’s  mission  at  Cisco  Live! 
The  company  announced  the  most  significant 
upgrade  in  years  to  its  most  successful  switch 
—  the  Catalyst  6500.  Cisco  also  enhanced  its 
data  center  and  cloud  portfolio  with  exten¬ 
sions  to  its  Unified  Computing  Systems  blade 
server  chassis,  its  WAAS  WAN  acceleration 
appliances  and  its  IronPort  security  line. 

The  12-year-old  Catalyst  6500  got  a  new 
Supervisor  2T  routing  and  switching  engine 
which  doubles  the  switch’s  per-  slot  capacity 
to  80Gbps.  It  was  a  curious  announcement 
as  Cisco  had  cited  Catalyst  6500-to-Nexus 
7000  switch  migration  and  transition  as  a 
factor  that  eroded  profits  in  its  fiscal  second 
quarter  and  helped  set  in  motion  the  restruc¬ 
turing  that  Cisco  is  now  facing. 

Some  viewed  the  announcement  as  an 
attempt  by  Cisco  to  backpedal  on  the  Cata¬ 
lyst/Nexus  transition  in  an  effort  to  preserve 
profit  margins  in  switching,  or  as  an  indica¬ 
tion  that  Nexus  was  meeting  some  resistance 
in  the  $42  billion  Catalyst  6500  base. 

Cisco  said  it’s  merely  a  case  of  the  market 
“bifurcating”  into  separate  requirements  for 
the  enterprise  campus  vs.  the  data  center. 

“It  takes  different  technology,”  said  John 
McCool,  Cisco  senior  vice  president  and  gen¬ 
eral  manager  of  the  Core  Technology  Group. 
“We’d  be  silly  to  walk  away  from  that  installed 
base  and  loyal  set  of  customers.” 

It  also  gave  Cisco  an  opportunity  to  take 
another  swipe  at  bitter  rival  HP.  Indeed,  if 
Cisco  was  preoccupied  with  the  impend¬ 
ing  layoffs  it  did  not  show  in  the  feistiness 


//  We  will  make  faster 
II  decisions  and  be  a  more 
focused  execution  machine.” 

JOHN  CHAMBERS,  CEO,  CISCO 


with  which  it  positioned 
the  Catalyst  6500  Sup 
2T  against  HP’s  A9508 
switch. 

“What  kind  of  innova¬ 
tion  have  we  seen  come 
out  of  HP?”  asked  Scott 
Gainey,  Cisco  director  of 
marketing  for  Unified 
Access  Solutions.  “The 
competition  is  on  notice: 

Cisco  does  intend  to  com¬ 
pete  and  we  intend  to 
compete  aggressively.” 

HP  responded  in  kind, 
noting  that  Cisco  was 
misleading  the  indus¬ 
try  and  its  customers  in 
comparing  the  Sup  2T  to 
the  A9508. 

The  UCS  enhance¬ 
ments  are  an  effort  to 
enhance  the  scalability  and  performance  of 
the  data  center  consolidation  system.  Cisco 
added  new  fabric  interconnects,  a  virtual 
interface  card,  a  chassis  I/O  module  and  an 
update  of  its  UCS  management  software  to 
the  UCS  portfolio. 

The  extensions  are  intended  to  address 
challenges  IT  managers  face  in  adopting  vir¬ 
tualization,  controlling  costs  and  scaling  to 
meet  growing  business  demands. 

But  in  addition  to  significant  product 
announcements,  the  Cisco  Live!  conference 
also  tackled  some  thorny  issues  that  cus¬ 
tomers  face.  While  Cisco  is  pushing  hard  on 
developing  and  selling  equipment  to  support 
the  growing  amount  of  video  traffic  in  IP  net¬ 
works  —  91%  of  IP  traffic  will  be  video  by  2014, 
the  company  claims  —  it  intimated  that  video 
may  not  be  ready  for  the  cloud,  and  vice  versa. 

Network  topology  issues  may  preclude 
enterprises  from  posting  internally  sensitive 
videos  to  a  cloud  service  like  YouTube,  says 
Guido  Jouret,  Cisco’s  vice  president  of  enter¬ 
prise  video  and  CTO  of  emerging  technology. 

Cisco  Cloud  CTO  Lew  Tucker  hosted 
a  panel  of  users,  integrators,  equipment 
manufacturers  and  service  providers  to  dis¬ 
cuss  if  enterprises  in  general  are  ready  for 
the  cloud.  The  panel  concluded  that  several 
wrinkles  regarding  software  licensing,  SLAs, 
cost-effectiveness,  reliability,  trust  in  the 
cloud  provider,  auditing  and  transparency, 
standards  and  interoperability,  data  privacy, 
and  whether  business  critical  applications 
can  truly  be  migrated  to  the  cloud  need  to  be 
ironed  out  before  cloud  computing  can  capa¬ 
bly  replace  a  private  IT  infrastructure. 

Harris  Corp.  used  the  analogy  of  airline 
reliability  in  assessing  cloud  reliability. 

“Cloud  has  to  do  IT  delivery  cost-effectively, 
but  also  do  it  with  safety,”  said  Wyatt  Starnes, 


vice  president  of  advanced  concepts  and 
cyber  integrated  solutions  for  Harris  Corp.’s 
Government  Communications  Systems  Divi¬ 
sion.  “There  are  five  orders  of  magnitude  dif¬ 
ference  in  business  maturity  (between  the 
airline  and  IT  industries):  Nine  or  10  9s  on 
passenger  safety  for  airline  industry”  vs.  five 
9s  for  computing.  “Our  measure  for  success¬ 
ful  cloud  delivery  should  not  be  compared 
to  data  centers;  it  should  be  compared  to  the 
airline  industry.” 

Cisco  CTO  Padmasree  Warrior  tackled, 
among  other  topics,  the  issue  of  whether  cus¬ 
tomers  want  and  can  benefit  from  a  single¬ 
vendor  network  vs.  a  multivendor  implemen¬ 
tation.  Cisco,  by  pushing  end-to-end  network 
architectures,  is  a  huge  proponent  of  the  sin¬ 
gle-vendor  approach  as  it  enhances  security, 
reliability  multidevice  interoperability  and 
quality  of  service,  the  company  claims. 

This  philosophy  has  been  taken  to  task 
by  industry  pundits  who  claim  that  single¬ 
vendor  networks  neither  lower  total  cost  of 
ownership  nor  simplify  operations. 

Cisco  also  used  Cisco  Live!  to  showcase 
some  data  center  customers  that  are  local  to 
Las  Vegas.  The  press  t  cured  an  innovative 
data  center  that  patented  its  own  power  and 
cooling  technique  for  a  400,000-square-foot, 
100-megawatt,  highly  secure  colocatipi  facil¬ 
ity  just  off  the  Vegas  Strip. 

So  despite  the  gloom  of  the  imminent  lay¬ 
offs,  Cisco  did  not  lose  a  beat  at  its  annual 
customer  confab. 

Said  Chambers:  “Where  will  we  be  two  to 
three  years  from  now?  The  leader  in  our  five 
company  priorities,  faster  on  innovations, 
simplified,  leaner,  your  trusted  networking/ 
IT  and  business  partner.  We  will  make  faster 
decisions  and  be  a  more  focused  execution 
machine.”  ■ 
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No  IT?  No  offices?  No  problem  for  this  virtual  firm 


BYTiM  GREENE 


WITH  NO  official  corporate  office  or  IT  staff, 
the  30  full-time  Gurnet  Consulting  consul¬ 
tants  have  become  some  of  the  industry’s 
ultimate  power  cloud  and  social  network¬ 
ing  users. 

Consultants  within  the  firm,  which  special¬ 
izes  in  IT  project  management,  depend  almost 
exclusively  on  cloud  applications  such  as 
Google  Apps  and  Salesforce  and  social  media 
such  as  Linkedln  and  Twitter  to  col¬ 
laborate  with  each  other  and  build 
key  professional  networks. 

Founder  and  CEO  of  the  firm  Mar¬ 
tin  King  says  the  company’s  virtual 
infrastructure  lets  the  company  run 
lean  and  quickly  adapt  new  tools  as 
they  become  available  in  the  cloud.  It 
also  gives  the  consultants  the  social 
glue  they  need  to  operate  effectively 
as  a  team.  “  We  don’t  have  offices 
where  we  can  talk  around  water 
coolers,”  King  says. 

The  company  starts  by  using 
Yammer  to  draw  its  consultants 
together  on  projects  and  in  per¬ 
sonal  relationships  that  help  build 
a  corporate  culture  in  the  absence 
of  a  face-to-face  business  environ¬ 
ment.  And  it  uses  cloud  applications 
Salesforce  and  Jobscience  to  track 
customer  engagements  and  keep  an  eye  on  a 
pipeline  of  prospective  new  consultants  the 
firm  might  need  to  hire  for  specific  projects. 

In  combination  with  Google  Apps  for  busi¬ 
ness  applications,  the  company  has  all  the 
platforms  it  needs  to  do  business,  eliminat¬ 
ing  the  need  for  IT  infrastructure  except  for 
laptops  and  smartphones,  King  says. 

Google  Apps  and  more 

For  its  core  business  Gurnet  uses  Google 
Apps  for  calendaring,  contacts,  instant  mes¬ 
saging  and  video  calls,  word  processing, 
spreadsheets,  slideshows  and  knowledge 
management.  Salesforce.com  provides  col¬ 
laboration  on  documents  such  as  proposals, 
statements  of  work  development  and  organi¬ 
zation  of  document  collateral  for  proposals. 
Job  proposals  developed  in  Google  Docs  are 
linked  to  job  opportunities  in  Salesforce.  Job- 
science  facilitates  recruiting  and  workflow. 

Gurnet  is  an  IT  consulting  company 
that  helps  its  clients  develop  and  manage 
IT  infrastructure  projects.  That  requires  a 
lot  of  attention  to  details,  such  as  whether 
the  client  businesses  have  the  personnel, 
infrastructure  and  systems  to  go  ahead  with 


projects,  and  if  not,  how  to  get  them. 

Gurnet  also  helps  write  RFPs,  choose 
vendors  and  formally  assure  that  projects 
will  be  completed  successfully,  then  helps 
clients  bring  the  newly  completed  projects 
into  routine  use. 

That  range  of  work  requires  a  lot  of  collabo¬ 
ration  and  a  pragmatic  way  to  achieve  it  and 
keep  it  organized.  That  pragmatic  approach 
embraced  cloud  services,  and  will  likely 
result  in  expanded  cloud  services.  King  says. 


Martin  King,  founder  and  CEO  of  virtual  firm  Gurnet  Consulting,  relies 
on  cloud  services  and  social  networking  to  keep  his  company  running. 


For  example,  currently  the  firm  uses  spread¬ 
sheets  to  correlate  data  about  skills  needed  by 
clients  that  is  housed  in  Salesforce.com  with 
data  about  job  candidates  that  resides  in  Job- 
science.  The  spreadsheets  work,  but  creating 
them  is  a  time-consuming  manual  process. 

As  the  firm  grows,  that  process  will  become 
too  big  a  burden.  The  solution  will  likely  be 
upgrading  Salesforce  and  Jobscience  licenses 
so  the  two  services  can  be  integrated.  “That 
will  mean  exponentially  higher  license  fees, 
but  it’s  better  than  buying  server  and  having 
to  maintain  them,”  he  says. 

It  helps  too  that  Google  Apps,  Salesforce 
and  Jobscience  all  offer  limited  free  services  or 
trials  that  are  attractive  financially,  and  they 
promote  experimentation  with  new  ways  of 
doing  things.  Because  they  are  cloud-based, 
trials  can  be  set  up  quickly  with  no  infrastruc¬ 
ture  demands  on  Gurnet,  King  says.  “We  can 
do  rapid  prototyping  and  make  a  call  on  it 
pretty  fast,”  he  says.  A  three-month  free  trial 
of  Yammer,  for  instance,  led  to  Gurnet  pur¬ 
chasing  the  service. 

While  King  likes  the  flexibility  and  economy 
of  cloud  services,  he  does  worry  some  about 
availability.  But  he  has  faith  in  the  providers, 


taking  their  size  and  popularity  as  indica¬ 
tors  that  they  deliver  highly  reliable  services. 
“We’re  playing  with  the  big  boys  in  the  indus¬ 
try  so  I’m  not  too  worried  about  it,”  he  says. 

Putting  these  cloud-based  collaboration 
tools  in  the  hands  of  his  consultants  cou¬ 
pled  with  the  ease  of  use  of  the  applications 
has  had  good  results,  although  not  always 
predictable. 

Yammer  serves  to  share  personal  infor¬ 
mation  among  the  consultants  in  order  to 
create  a  closer  social  bond.  King,  for 
example,  posted  family  photos  from 
his  Fourth  of  July  vacation. 

But  it  is  also  used  to  share  ideas 
and  issues  consultants  face  when 
working  on  client  problems.  They 
see  each  other’s  posts  and  com¬ 
ment,  sometimes  generating  ideas 
that  result  in  effective  professional 
strategies. 

For  instance,  one  consultant  work¬ 
ing  with  a  client  on  merger/acqui¬ 
sition  due  diligence  and  another 
consultant  working  on  a  unified 
data  warehouse  for  a  client  with  36 
different  business  units  found  via 
their  Yammer  posts  that  they  shared 
similar  problems.  Both  were  using 
tools  and  techniques  to  onboard  data 
from  disparate  businesses.  Yammer 
helped  the  consultants  realize  they 
had  something  in  common  and  to  provide 
a  forum  for  sharing,  King  says,  ultimately 
resulting  in  better  outcomes  for  clients. 

Beyond  cloud  services.  King  also  promotes 
use  of  social  networking:  It’s  mandatory  for 
consultants  to  have  Linkedln  and  Twit¬ 
ter  accounts,  and  Facebook  is  encouraged. 
King  says  he  has  even  won  useful  feedback 
and  connections  from  posts  he  has  made 
about  articles  he  was  reading  on  his  Kindle 
e-reader. 

Gurnet’s  use  of  social  networking  is  also  a 
business  development  tool.  A  comment  King 
posted  on  Linkedln  elicited  a  response  from 
an  IT  executive  at  a  retail  chain  that  led  to  a 
chat  and  then  to  an  in-person  meeting  and 
ultimately  a  work  engagement. 

The  social  networks  also  provide  a  reser¬ 
voir  of  professional  experts  that  Gurnet  can 
tap  when  outside  expertise  on  client  engage¬ 
ments  is  required. 

The  firm  has  also  referred  potential  clients 
to  members  of  its  social  network-based  pro¬ 
fessional  stable  when  it  lacked  the  expertise 
they  were  seeking.  Gurnet  didn’t  get  a  con¬ 
tract,  but  the  referral  generated  goodwill,  he 
says.  ■ 
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Verizon’s  center  is  like 
a  4G  Tomorrowland 


BYBRADREED 

HAVE  YOU  ever  gone  to 
Tomorrowland,  the  Disney 
theme  park  that  dazzles  you 
with  tantalizing  glimpses  of 
what  future  technology  will 
bring?  Well,  that’s  sort  of  what 
Verizon  Wireless  was  shooting 
for  at  its  LTE  Innovation  Center  debut  exhibition  last  week. 

During  both  the  opening  ceremonies  and  the  exhibit  tours.  Inno¬ 
vation  Center  representatives  showed  off  several  new  products  that 
utilize  Verizon’s  LTE  wireless  network  to  make  life  just  a  wee  bit  more 
convenient  (early  tests  of  commercial  services  have  shown  LTE  down¬ 
load  speeds  in  the  7Mbps  to  12Mbps  range,  although  these  speeds  are 
likely  to  decline  once  more  users  subscribe  to  the  services). 

The  LTE  Innovation  Center,  located  in  Waltham,  Mass.,  is  meant 
to  be  a  collaboration  hub  where  startups  can  get  advice  and  technical 
know-how  from  the  pros  at  Verizon  and  its  equipment  partners.  In 
other  words,  if  you’re  a  young  company  that  knows  nothing  about 
LTE  but  would  like  to  incorporate  it  into  your  product  to  give  it  more 
mobility,  you  now  have  a  place  to  go. 

During  a  panel  discussion,  representatives  from  three  tech  compa¬ 
nies  talked  about  how  LTE  had  added  an  element  of  mobility  to  their 
products  that  exceeded  anything  they  could  have  had  with  Wi-Fi.  Bob 
Klingle,  the  CEO  of  LiveEdge,  said  that  LTE  was  the  key  to  letting  his 
company  create  television  news  cameras  that  could  broadcast  from 
anywhere  on  the  spot  without  having  to  wait  around  for  a  satellite 
truck.  He  also  said  that  his  company  would  never  have  survived  if  he 
didn’t  get  hands-on  help  from  Verizon,  Alcatel-Lucent  and  Ericsson. 

“I  was  looking  at  mothballing  the  company  because  we  just 
weren’t  there  and  the  technology  wasn’t  there,”  he  explained.  “But 
we  have  the  good  fortune  to  run  into  Verizon  and  Ericsson  and  the 
Innovation  Center ...  we  now  have  a  product  that  NBC  and  CBS  and 
Fox  desperately  want  to  change  their  cost  structure  and  to  democ¬ 
ratize  live  news  gathering.” 

Tim  Root,  CTO  of  VGo  Communications,  explained  how  LTE 
made  it  possible  for  the  company  to  mount  a  teleconferencing  ser¬ 
vice  on  top  of  one  of  its  mobile  robots  that  gives  people  the  ability 
to  simulate  moving  around  a  room  during  a  videoconference.  As 
an  example,  he  cited  a  boy  who  had  an  immune  disorder  that  pre¬ 
vented  him  from  attending  school  in  person.  The  school  gave  him 
some  help  by  installing  a  VGo  telepresence  robot  in  the  classroom 
and  letting  him  attend  classes  through  the  robotic  interface.  Root 
explained  that  this  added  mobility  was  something  that  only  could 
have  been  accomplished  with  a  high-bandwidth  wireless  network 
with  sufficient  range  to  ensure  constant  connectivity. 

One  of  the  most  striking  uses  of  LTE  at  the  demonstration  came 
in  the  realm  of  transportation,  as  the  team  at  the  center  has  put 
together  prototype  cars  and  bicycles  that  incorporate  the  technol¬ 
ogy  into  their  standard  functionality.  In  the  case  of  the  bicycle,  the 
team  is  experimenting  with  having  a  webcam  strapped  to  the  front 
of  the  bike  while  having  another  webcam  and  monitor  attached  to 
the  handlebars,  facing  the  rider.  So  if  parents  need  to  see  where  their 
children  are  or  if  they  need  to  call  them  home,  the  parents  can  now 
do  so  using  a  home  interface  that  connects  with  both  cameras.  ■ 
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►  Microsoft ,  frontpage  1 

database  and  VMware’s  virtualization  are 

overpriced,  Turner  said. 

But  Microsoft’s  Worldwide  Partner  Con¬ 
ference  in  Los  Angeles  didn’t  focus  just  on 
competitors.  Microsoft  talked  about  upgrade 
paths  from  existing  products 
and  previews  of  upcoming 
ones  such  as  Windows  8  for 
the  desktop,  Windows  Server 
8,  a  Skype-powered  Lync  com¬ 
munications  suite  and  the  next 
version  of  SQL  Server. 

Once  Microsoft  completes 
its  $8.5  billion  purchase  of 
Skype,  the  consumer-focused 
chatting  and  calling  service 
will  be  heavily  integrated  with 
the  business-focused  Lync 
unified  communications  soft¬ 
ware,  Ballmer  said. 

“One  of  the  great  motiva¬ 
tions  in  acquiring  Skype  is  to 
enable  the  enterprise  to  have 
all  the  control  it  wants  in  communication  and 
collaboration  through  Active  Directory  and 
Lync,  and  yet  be  able  to  connect  people  within 
enterprises  to  consumers,  businesses  and 
trading  partners  around  the  world,”  Ballmer 
said.  “Lync ...  with  Skype  is  a  strategy  that  will 
allow  the  consumerization  of  IT  to  really  pro¬ 
ceed  with  full  vim  and  vigor.” 

Microsoft  also  talked  up  the  future  of  Win¬ 
dows.  Any  desktop  PC  capable  of  running 
Windows  7  will  be  upgradable  to  Windows 
8  because  Microsoft  plans  to  keep  hardware 
requirements  level  or  even  lower  them,  the 
company  said. 

Despite  strong  Windows  7  sales,  Windows 
XP  is  still  the  most  widely  used  operating  sys¬ 
tem,  and  Microsoft  has  consistently  told  busi¬ 
nesses  it’s  time  to  move  off  the  OS,  which  will 
no  longer  be  supported  after  April  2014. 

Windows  8  will  be  optimized  for  both 
PCs  and  tablets,  and  Microsoft  pledged  that 
Windows  8  tablets  will  be  able  to  do  virtually 
anything  a  PC  can  do,  perhaps  a  differentia¬ 
tor  from  Apple’s  iPad,  which  uses  a  different 
operating  system  than  Mac  computers. 

Microsoft  previewed  Windows  Server  8, 
which  will  feature  upgrades  to  the  Hyper-V 
virtualization  platform.  Reliability  will  be 
improved  because  of  a  new  Hyper-V  replica¬ 
tion  service  that  makes  it  easier  to  replicate 
virt  ual  machines  hosting  databases  and  other 
applications  to  remote  data  centers. 

“Hyper-V  Replica  works  with  any  server 
vendor,  any  storage  vendor,  any  network 
vendor,  making  it  the  ideal  platform  to 
deliver  new  service  offerings,”  virtualization 
program  manager  Jeff  Woolsey  said.  “With 
Windows  Server  8  we’re  delivering  massive, 
massive  scale  in  the  box,  and  we’re  delivering 


mission-critical  reliability  enhancements.” 

Release  dates  for  Windows  Server  8  and 
Windows  8  haven’t  been  revealed,  but  Micro¬ 
soft  said  it  will  provide  further  previews  of 
their  capabilities  in  September  at  the  compa¬ 
ny’s  Build  conference  in  Anaheim,  Calif. 


SQL  Server  and  System  Center  2012  were 
also  on  the  agenda  at  the  Worldwide  Partner 
Conference.  Along  with  the  next  version  of 
Windows  Server,  these  products  will  provide 
the  foundation  of  Microsoft’s  private  cloud 
technology. 

Microsoft  server  and  tools  chief  Satya 
Nadella  promised  that  System  Center  2012 
will  work  with  multiple  hypervisors  and 
multiple  guest  operating  systems,  “because 
we  recognize  customers  are  going  to  be 
heterogeneous.” 

Microsoft  launched  an  updated  beta  of 
Denali,  the  next  version  of  SQL  Server.  This 
is  the  third  beta  since  last  November  when  it 
issued  the  first  preview  of  Denali,  which  will 
replace  SQL  Server  2008  R2. 

The  release  of  the  latest  beta  marks  the  first 
time  “customers  can  begin  testing ...  features 
...  including  SQL  Server  AlwaysOn  and  Proj¬ 
ect  Apollo’  for  added  mission  critical  con¬ 
fidence,  Project  ‘Crescent’  for  highly  visual 
data  exploration  that  unlocks  breakthrough 
insights,  and  SQL  Server  Developer  Tools, 
code-named  ‘Juneau,’  for  a  modern  develop¬ 
ment  experience  across  server,  BI  and  cloud 
development  projects,”  Microsoft  said. 

System  Center  2012  will  feature  App  Con¬ 
troller,  formerly  known  as  “Project  Concero,” 
to  give  IT  managers  greater  control  over 
applications  across  public  clouds  and  their 
private  data  centers,  and  application  man¬ 
agers  a  self-service  interface  to  deploy  and 
manage  applications. 

Microsoft  is  also  opening  a  beta  for  an 
Operations  Manager  capability  in  System 
Center  2012. 

“Operations  Manager  is  a  key  component 
that  provides  end-to-end  application  service 


monitoring  and  diagnostics  across  Win¬ 
dows,  other  platforms  and  Windows  Azure,” 
Microsoft  said.  “Operations  Manager  will 
fully  integrate  technology  from  the  AVIcode 
acquisition  for  monitoring  and  deep  insights 
into  applications.” 

Microsoft’s  private  cloud 
software  is  designed  to  connect 
with  its  public  cloud  known  as 
Windows  Azure.  Azure  lets 
customers  build  applications 
to  be  hosted  in  Microsoft  data 
centers,  but  lags  rivals  Amazon 
EC2,  Google  App  Engine  and 
Salesforce’s  platform  cloud  in 
adoption. 

At  the  conference,  Microsoft 
also  announced  an  expansion 
of  the  cloud-based  desktop 
management  service  Intune, 
with  enterprise-focused  fea¬ 
tures  such  as  the  ability  for 
administrators  to  distribute 
and  install  third-party  software 
across  their  systems.  Microsoft  also  provided 
an  update  on  its  strategy  for  cloud-based  ERP 
and  CRM  software. 

The  next  update  of  CRM  Online  will  be 
available  in  the  fourth  quarter,  and  custom¬ 
ers  with  more  than  100  seats  will  be  able  to 
get  unified  billing  and  provisioning  for  CRM 
Online  and  Office  365,  the  recently  launched 
cloud  productivity  suite.  CRM  Online  is  also 
getting  a  social  media  makeover  with  the 
addition  of  real-time  activity  feeds  that  can 
be  tracked  both  within  the  application  and 
on  Windows  7  mobile  devices.  On  the  ERP 
front,  Microsoft  plans  to  allow  its  Dynamics 
ERP  software  to  run  on  the  Windows  Azure 
cloud. 

Despite  this  breadth  of  offerings,  Microsoft 
has  lost  some  of  its  luster  to  rival  Apple,  which 
passed  it  in  market  cap,  profit  and  revenue. 
Redmond’s  partner  conference  gave  it  the 
opportunity  to  boast  about  the  numbers  that 
show  Microsoft  is  still  growing. 

Windows  7  has  sold  400  million  licenses 
in  less  than  two  years,  Office  2010  has  sold 
more  than  100  million  licenses,  50,000  busi¬ 
nesses  have  trialed  Office  365  since  the  cloud 
service’s  launch  in  late  June,  Windows  Server 
locked  up  75%  of  quarterly  hardware  ship¬ 
ments,  and  usage  of  the  Bing  search  engine 
has  tripled  in  the  past  year. 

The  only  disappointment  Ballmer  men¬ 
tioned  was  Windows  Phone  7,  but  he  claimed 
the  future  is  bright. 

“Phones:  We’ve  gone  from  very  small  to 
very  small  but  it’s  been  a  heck  of  a  year,” 
Ballmer  said.  “You’re  going  to  see  a  lot  of  prog¬ 
ress  in  that  market.”  ■ 

The  IDG  News  Service  contributed  to  this  report. 


Lync ...  with  Skype 
is  a  strategy  that  will 
allow  the  consumerization 
of  IT  to  really  proceed 
with  full  vim  and  vigor.” 

STEVE  BALLMER,  CEO, 

MICROSOFT 
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My  iOS  love  affair 


y  love  affair  with  iOS  devices 
(in  other  words,  the  iPad  1  and  2, 
the  iPhone,  and  the  iPod  Touch) 
continues  apace.  I  keep  finding 
new  iOS-related  products  that  are 
really  useful  and  many  that  are 
both  useful  and  cool. 


In  the  latter  category,  for  example,  is 
Microsoft’s  free  Photosynth,  a  system  for 
creating  photographic  panoramas.  But 
rather  than  displaying  the  captured  scene  as 
one  superwide  image,  Photosynth  panora¬ 
mas  are  displayed  in  a  more  regularly  sized 
window  and  using  your  mouse  or  cursor 
keys,  you  can  pan  around  and  zoom  in  and 
out  of  the  image  providing  a  more  realistic 
rendering  of  a  scene. 

While  you  can  upload  a  series  of  over¬ 
lapping  images  from  any  camera  to  the 
Photosynth  site  and  then  have  them  “stitched” 
into  a  panorama,  the  iOS  versions  detect  the 
overlaps  between  adjacent  images  as  you 
take  them  and  stitch  the  panoramas  together 
without  having  to  use  the  online  service. 

You  can  also  upload  the  panoramas  or 
a  specific  view  from  one  directly  to 
Facebook  when  your  iOS  device 
is  connected  to  the  ‘Net. 

While  you  might 
think  of  this  app  as 
more  of  a  hobbyist  tool  it 
offers  unique  commu¬ 
nications  opportunities  in 
disciplines  such  as  architecture, 
realty  and  engineering.  Photosynth 
for  iOS  gets  a  rating  of  5  out  of  5. 

While  I’m  on  the  subject  of  visual  apps, 

I’ve  been  testing  Splashtop  Remote  Desktop. 

A  remote  screen  viewer  for  iOS,  Splashtop 
can  stream  the  desktop  image  from  OS  X 
and  Windows  hosts  to  iPads  and  iPhones 
(Android  and  HP  webOS  versions  are  also 
available)  and  the  connections  can  transpar¬ 
ently  traverse  firewalls. 

The  visual  results  are  very  good  with 
options  to  scale  the  remote  screen  to  the  iOS 
screen  or  keep  it  full  size  and  pan  the  remote 
image.  The  rendition  of  the  remote  desktop 


Mark  Gibbs’  Gearhead 


is  excellent  and 
glitch-free  (I  saw 

no  “stuttering”  as  the  remote  screen  updated 
which  is  something  that  some  competing 
products  suffer  from). 

Splashtop  supports  multitouch  gestures 
for  remote  screen  navigation  and  provides 
an  extended  onscreen  keyboard  (though  if 
you’re  using  a  physical  keyboard  with  your 
iOS  device,  Splashtop  ignores  it). 

One  thing  that  didn’t 
work  at  all  was  sound 
despite  the 
Splashtop 
specs 


because  it  is  a  new,  and,  as  yet,  unreleased 
device:  The  Kingston  Wi-Drive. 

The  Wi-Drive  provides  extra  storage  for 
iOS  and  other  smartphone  devices  at  a  price 
that  makes  buying,  say,  a  more  expensive 
iPad  to  get  more  storage  kind  of  silly. 

Due  to  ship  at  the  end  of  July,  the  Wi- 
Drive  will  be  priced  at  $130  for  16GB  and 
$175  for  32GB.  At  121.5mm  x  61.8mm  x 
9.8mm  the  Wi-Drive  is  smaller  than  an 
iPhone  and  has  a  rechargeable  battery  that 
gives  about  four  hours  of  use. 

What’s  really  neat  is  that  the  Wi-Drive  not 
only  provides  secure  802.11n  Wi-Fi  access 
to  its  onboard  storage  for  up  to  three  devices 
but  also  acts  as  a  Wi-Fi  relay  to  provide 
access  from  the  connected  iOS  devices  to 
another  Wi-Fi  service. 

So  far  I’m  pretty  impressed.  Running 
prerelease  firmware,  the  Wi-Drive’s  perfor¬ 
mance  is  very  good  and  its  companion  iOS 
application  is  stable  and  straightforward 
to  use.  Once  I  have  the  final,  shipping 
Wi-Drive  firmware,  I’ll  provide 
a  more  extensive  review.  For 
now,  the  Wi-Drive  looks 
very  promising.  ■ 

Gibbs  is  well- 
padded  in  Ventura, 
Calif.  Access  him 
remotely  at  gearhead@ 
gibbs.com. 


The  Wi-Drive  provides 
extra  storage  for 
smartphones. 


claiming  that  audio  sent  from  the 
remote  host  will  be  reproduced  on  the 
iOS  device.  I  couldn’t  get  audio  to  work 
at  all  with  either  Windows  Vista  or  OS  X 
as  the  remote  system. 

The  Splashtop  app,  priced  at  $1.99,  gets  a 
rating  of  3.5  out  of  5. 

My  final  product  is,  I  admit,  a  bit  of  a  tease 
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tablet  race,  but  has 
some  catching  up  to  do 


Keith  Shaw's 
Cool  Tools 


THE 

SCOOP 


TouchPad 

by  HP,  about  $500  (for  16GB; 
32GB  costs  $600) 


►  What  it  is:  HP’s  entry  into  the  consumer-ori¬ 
ented  tablet  game,  the  webOS-enabled  TouchPad 
features  a  9.7-inch,  LED  backlit  display,  Wi-Fi  con¬ 
nectivity,  choice  of  16G  or  32GB  of  storage  space. 

►  Why  it's  cool:  The  main  selling  point  of  webOS  is 
its  ability  to  handle  multitasking  —  with  this  device, 
you  can  open  multiple  applications  at  the  same 
time,  and  then  flick  back  and  forth  with  your  finger 
to  go  back  to  what  you  were  doing  when  you  started 
the  new  app,  etc.  The  ability  to  close  an  app  by  just 
flicking  it  away  like  a  playing  card  is  also  a  neat 
little  trick.  The  device  supports  Adobe  Flash,  so  you 
can  view  Flash-heavy  websites  such  as  YouTube 
through  the  Web  browser  instead  of  a  separate  app. 

For  business  users,  the  TouchPad  offers  sup¬ 
port  for  Exchange  ActiveSync  and  VPNs,  as  well 
as  over-the-air  management  and  data  security 
features  (remote  wipe,  for  example).  The  sold- 
separately  HP  Touchstone  Charging  Dock  is  very 
nice,  creating  a  stand  that  can  be  used  to  view  the 
TouchPad  upright,  and  still  inductively  recharge 
the  unit  (no  cables  needed  for  the  recharge). 

►  Some  caveats:  The  TouchPad  features  a  1.2  GHz 
Qualcomm  dual-core  Snapdragon  processor,  but 
this  seemed  to  make  all  of  the  apps  run  a  lot  slower 
than  on  other  tablets  I’ve  tried,  especially  the 
dual-core  AS-enabled  iPad  2  (heck,  even  my  older 
iPad  ran  apps  faster).  For  example,  loading  and 
running  the  Facebook  app  via  the  TouchPad  took 
several  minutes  (four-plus),  and  when  my  news 
feed  did  show  up,  it  took  longer  to  load  up  friends’ 
icons  and  their  photos.  Even  on  a  Wi-Fi  network. 

The  TouchPad  also  suffers  from  fewer  webOS 


apps  available  than  on  the  Android  Market  or  i 
Apple  App  Store  —  and  apps  that  are  specifica 
aimed  at  the  TouchPad  are  even  more  scarce.  Si 
most  of  the  basics  are  there,  but  users  will  have  to 
be  patient  and  hope  that  more  apps  will  be 
developed  for  this  device. 

The  lack  of  a  rear-facing  camera  also  is  wor¬ 
risome,  putting  it  behind  the  iPad  2  and  other 
Android  tablets.  The  front-facing  camera  can  be  If 
used  for  video  calls,  but  you  can’t  take  photos  or 
videos  with  it  (at  least,  not  easily).  Other  missing 
features  include  only  32GB  of  storage  (compared 
to  the  high-end  64GB  available  with  Apple),  and 
no  3G/4G  connectivity  options  —  it’s  Wi-Fi  only. 

Even  connecting  to  the  Wi-Fi  network  was 
tricky  —  on  initial  setup,  it  wouldn’t  connect  to 
my  corporate  Wi-Fi  network,  which  requires 
additional  authorization  via  Web  browser.  After 
going  to  my  home  network  for  the  initial  setup, 
the  TouchPad  could  then  connect  to  the  corporate 
network,  but  specific  apps  still  had  a  hard  time 
detecting  whether  I  was  logged  in  or  not.  More 
often  than  not,  an  app  would  say  that  I  wasn’t  con¬ 
nected  and  leave  me  hanging  rather  than  bringing 
up  a  browser  window  in  order  to  authenticate. 

►  Bottom  line:  As  HP’s  first  tablet  to  the  market, 
it’s  not  a  bad  piece  of  equipment,  but  when  you 
compare  it  with  what’s  also  out  there,  the  cracks 
begin  to  show.  If  HP  can  ramp  up  quickly  with  a 
second  model  that  surpasses  what’s  out  there  in 
terms  of  hardware  and  software  (a  tall  order  con¬ 
sidering  what’s  out  there  from  Google  and  Apple), 
then  HP  has  a  horse  in  the  race.  If  not,  it’s  bound 
for  the  “just  another  tablet”  pile. 

►  Grade  *nM  (out  of  five). 

Shaw  can  be  reached  at  kshaw@nww.com. 
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EXPERTS 
FACE  OFF 
on  the 
HOTTEST 
TOPICS 


Layered  security  defenses:  Which  layer 
is  more  critical,  network  or  endpoint? 


Net  layer 
delivers 
situational 
awareness 


Eric  Knapp,  director  of 
critical  infrastructure 
markets,  NitroSecurity 


WHILE  ENDPOINT  SECURITY  IS  AN 

important  component  of  a  strong 
defense-in-depth  posture,  the  net¬ 
work  layer  is  more  critical  because 
it  helps  eliminate  inbound  vectors  to 
servers,  hosts  and  other  assets  while 
providing  an  excellent  basis  of  activ¬ 
ity  monitoring  that  improves  our 
overall  situational  awareness. 

This  is  important  because,  while 
endpoint  security  has  improved  sig¬ 
nificantly  with  the  introduction  of 
application  whitelisting  and  other 
technologies,  our  systems  and  devices 
are  simply  too  diverse  and  too  inter¬ 
connected  to  ensure  that  host  security 
can  be  deployed  100%  ubiquitously 
and  effectively.  All  it  takes  is  a  single 
chink  in  the  endpoint  security  armor 
to  create  a  beachhead  for  attackers. 

Network  security  isn’t  a  silver  bullet  either,  of  course.  Even 
using  unidirectional  gateways  (the  network-layer  equivalent  to 
application  whitelisting,  where  absolute  protection  is  provided 
at  the  physical  layer),  there’s  the  chance  that  a  hardened  network 
shell  can  be  bypassed,  exposing  the  gooey  interior  of  networked 
hosts.  However,  the  network  is  the  common  denominator,  the 
nexus  of  all  systems,  applications  and  services.  By  properly 
monitoring  it,  the  larger  threats  are  detectable  and  the  hosts 
themselves  are  ultimately  more  secure. 

Active  protection  using  standard  network  secu¬ 
rity  devices  such  as  firewalls  and  intrusion-preven¬ 
tion  systems  (IPS)  is  a  start.  Network  activity  moni¬ 
toring  using  intrusion-detection  systems,  network 
flow  analysis  and  more  holistic  systems  such  as 
network  behavior  analysis  tools,  log  management 
and  security  information  and  event  management 
(SIEM)  systems  rounds  out  point  protection  devices 
and  provides  a  broader  threat  detection  capability. 

In  other  words,  network-based  security  is  more 
than  just  a  layer  of  defense;  it’s  a  keystone  to  obtain¬ 
ing  situational  awareness,  showing  security  ana¬ 
lysts  how  all  of  those  discrete  host  security  events 
relate  to  each  other  and  to  the  important  security 
and  compliance  policies  of  the  company. 

When  utilized  properly,  network-layer  security 
information  can  be  used  in  conjunction  with  appli¬ 
cation  whitelisting  on  the  host  to  create  something 

►  See  Knapp, page  22 


It  all  hangs 
on  the 
endpoint 


James  Lyne,  director 
of  technology  strategy, 
Sophos 


Which  layer  is 
more  important? 


Network  *  (80%) 


Endpoint  (20%) 


Cast  your  vote  and 
see  comments  at 
tinyurl.com/5vg6ydy 


RADICALLY  CHANGING  ATTACK 

patterns,  roaming  users,  a  plethora 
of  platforms  that  need  to  be  protected 
and  the  increasing  need  to  encrypt 
more  data  are  factors  that  are  con¬ 
spiring  to  make  endpoint  security  the 
critical  control  for  security  delivery. 

The  encryption  factor  alone  man¬ 
dates  the  change  in  thinking.  With 
traffic  encrypted  at  the  transport  or 
data  layer,  network-based  inspection 
becomes  unrealistic,  keeping  network 
devices  from  doing  their  job.  The  end¬ 
point,  on  the  other  hand,  is  able  to  see 
the  data  pre-encryption,  allowing  for 
performance  inspection  of  traffic. 

Furthermore,  greater  context  is 
available  at  the  endpoint  for  security 
operations.  Today  in  SophosLabs,  we 
see  more  than  95,000  individual  pieces  of  malicious  code  every  day 
and  find  a  new  infected  Web  page  every  few  seconds,  an  astound¬ 
ing  increase  in  quality  and  quantity  of  malware  over  previous 
years.  The  content-based  detection  techniques  that  have  been  used 
for  the  past  25  years  are  increasingly  ineffective  against  this  mass  of 
malicious  code.  At  the  endpoint,  visibility  of  the  applications,  data, 
behaviors  and  system  health  can  be  used  to  make  more  accurate 
decisions  and  better  proactive  protection. 

Compare  for  example,  the  task  of  trying  to  identify  and  block 
Skype  (say  nothing  of  more  tricky  malicious  code).  At  the  endpoint 
you  simply  identify  Skype.exe  (using  a  variety  of 
mechanisms  —  not  just  name),  whereas  trying  to 
achieve  this  in  the  network  you  need  to  decode  the 
packets  to  find  the  interesting  information  within 
the  packet,  which  can  be  exceedingly  challenging 
given  that  there  are  thousands  of  different  formats. 
Oftentimes  these  can  be  disguised  as  other  forms 
of  legitimate  traffic. 

More  users  are  also  accessing  data  and  applica¬ 
tions  from  the  road,  in  many  cases  now  directly 
from  cloud  services.  If  the  traffic  isn’t  backhauled 
through  the  business,  network  security  loses  vis¬ 
ibility  traditionally  provided  at  the  perimeter  and 
the  fabric  of  the  network.  Security  capabilities  like 
URL  lookup  for  infected  websites  therefore  need  to 
be  available  wherever  the  device  is.  Endpoint  and 
cloud-based  protection  allows  this. 

Network  security  is  easier  to  deploy  than 

►  See  Lyne, page 22 


www.networkworld.com  JULY  18, 2011  21 


techdebate 
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even  better.  The  term  “smart  listing,”  first  coined  at  a  SANS  Insti¬ 
tute  security  conference  in  London,  introduced  the  concept  of 
using  security  events  from  application  whitelisting  agents  on  the 
host  to  complete  the  feedback  loop  to  network  security  devices, 
which  typically  block  traffic  based  on  blacklists,  or  defined  signa¬ 
tures  that  tell  the  firewall  or  IPS  what  we  know  is  “bad.” 

When  a  zero-day  exploit  slips  past  these  blacklist  defenses 
and  hit  a  host  protected  with  some  sort  of  application  control,  the 
exploit  will  be  blocked  and  the  details  will  (hopefully)  be  logged. 

But  where  did  that  exploit  come  from?  Was  it  an  insider  threat, 
or  something  more  advanced  originating  from  another  country? 
The  only  way  to  answer  those  questions  is  to  look  at  the  network 
itself,  specifically  at  the  network-layer  security  events,  as  well  as 
network  flow  information. 

When  we  see  something  that  is  clearly  of  malicious  intent 
attempting  to  execute  applications  on  a  protected  host,  we  can 
intuit  that  the  application  is  malicious  and  adjust  our  blacklists 
accordingly.  In  other  words,  we  create  a  “smart  list”  of  what  we 
infer  to  be  malicious,  based  upon  intelligence  obtained  from  the 
host,  but  assessed  within  the  context  of  the  network  layer. 

Only  with  this  level  of  automated  intelligence  and  network- 
layer  awareness  can  the  most  sophisticated  attacks  be  detected 
and  then  blocked  at  the  perimeter  using  network-layer  security 
controls.  Because  if  the  network  lets  the  attack  in,  it  will  eventually 
find  its  beachhead:  that  one  desktop,  server,  printer  or  some  other 
device  that  isn’t  adequately  protected. 

There’s  a  lot  of  covert,  mutating  and  otherwise  sophisticated 
malware  available,  so  if  an  attack  does  successfully  land  it’s  going 
to  gnaw  away  at  systems  until  a  weakness  is  found.  When  both 
network  and  host  security  are  hardened,  the  resulting  security 
Gobstopper  is  going  to  be  difficult  for  attackers  to  chew  on.  ■ 

NitroSecurity  provides  both  intrusion  prevention  systems  as  well 
as  the  only  SIEM  system  to  include  integrated  network-based 
application  content  and  database  transaction  monitoring. 


►  Lyne,  from  page  21 

endpoint  security  because  companies  can  roll  it  out  in  a  few  places 
on  the  network  instead  of  having  to  deploy  on  every  individual  PC. 
However,  when  security  goes  wrong  and  a  device  gets  infected, 
endpoint  protection  offers  the  ability  to  clean  up  malicious  code 
and  reverse  the  damage  or  remediate  problems,  something  net¬ 
work-layer  security  cannot  do. 

To  be  fair,  being  at  the  endpoint  is  a  constant  battle  because  a  lot 
of  malicious  code  is  designed  to  disable  endpoint  security  software. 
Inspection  from  the  network  does  not  have  this  problem.  The  good 
news:  Malware  at  the  endpoint  can  be  detected  as  it  attempts  to 
infect  others  or  dial  home. 

All  in  all,  both  forms  of  security  are  important  to  protect  against 
the  modern  threat.  Some  security  functions  that  were  traditionally 
delivered  at  the  network  need  to  be  transitioned  to  the  endpoint 
for  effective  performance  and  compatibility  with  the  new  army  of 
roaming  users. 

Conversely,  network  solutions  can  cover  devices  where  agent 
deployment  is  not  realistic,  visiting  guests  or  systems  which  might 
have  had  their  endpoint  software  disabled  by  malware  and  where 
network-level  attacks  and  snooping  can  more  readily  be  identified. 

With  such  a  large  quantity  of  malware  out  there  and  more 
targeted  attacks,  the  more  layers  you  run,  the  bigger  the  net  you 
spread  to  catch  cyber  criminals. 

Traditionally  endpoint  and  network  security  have  been  handled 
as  isolated  areas  by  different  teams.  Increasingly,  in  response  to 
broader  threats  and  new  devices,  there  are  benefits  in  having  them 
work  together.  Sharing  information  between  the  network,  end¬ 
point  and  cloud  will  be  the  direction  of  modern  security.  ■ 

Sophos  is  both  an  endpoint  and  network  security  provider.  It 
believes  that  both  layers  are  a  necessary  part  of  the  solution  and 
increasingly  need  to  be  joined  up  and  work  together  to  provide  a 
more  complete  security  solution. 

©  Send  Debate  Suggestions  to  jdix@nww.com 


Porthole  view 

©  First  and  foremost  education  is  vital, 
teaching  users  not  to  click  on  something 
or  give  information  out  to  a  non-trusted 
source.  I  think  that  network  slightly 
edges  out  endpoint  in  this  debate,  simply 
-  because  the  network  is  the  way  in  and 
p  out  and  if  you  stop  it  there  then  endpoint 
doesn’t  need  to  matter  as  much.  I  say 
5?  '*  network  also  because  Ethernet  as  a  stan- 
A  dard  is  the  easiest  place  to  start;  with  the 
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if  you  will.  Starting  out  and  working  in,  en¬ 
cryption  on  many  levels  is  a  must.  ANON 

Is  saying  ‘both’  a  cop-out? 

©  Seems  like  there  needs  to  be  priorities, 
based  on  likelihood  of  success;  network, 
No.  1;  apps,  No.  2;  endpoints,  No.  3.  But 
all  of  the  above?  Sure.  The  foundation  is 
the  network,  though.  Is  this  an  opening/ 
opportunity  for  network  fabric?  PAUL 
CALENTO 

Back  to  first  principles 

©  Consider  the  Security  Placement 
Principle;  A  security  mechanism  is  most 
effective  when  it  is  placed  as  close  as 
possible  to,  and  under  the  direct  control 
of  the  owner  of,  the  asset  that  it  protects. 
This  is  related  to  the  End-to-end  Principle 


in  networking.  The  point  is  that  assets 
in  endpoints  should  be  protected  by 
mechanisms  in  endpoints.  That  means 
hardening  operating  systems  to  prevent 
programs  from  being  installed  without 
explicit  authorization  informed  by  digital 
signatures,  and  to  prevent  any  code  from 
executing  unless  properly  installed  or 
confined  to  a  sandbox.  It  means  building 
applications  that  are  secure.  It  also  means 
enforcing  policies,  such  as  for  use  of  file 
system  protection  and  credentials.  And 
it  means  extensive  use  of  end-to-end 
network  layer  security  mechanisms  such 
as  SSL.  Mechanisms  in  the  network  that 
protect  the  endpoints  are  a  Band-Aid. 
Assets  in  the  network  have  to  be  protected 
by  mechanisms  in  the  network.  Unfortu¬ 
nately,  we  have  known  how  to  build  secure 
systems  since  the  1970s,  but  choose  not 
to.  Instead,  we  rely  on  Band-Aids.  ANON 
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CLEAR  CHOICE  TEST:  WLAN  MANAGEMENT 

Cloud-based  services  navigate  the  maze 

Aerohive,  D-Lmk  and  Meraki  deliver  enticing  alternatives  to  on-site  management 


BY  CJ.  MATHIAS   

The  cloud  is  everywhere 
today,  offering  the  possi¬ 
bility  of  all  manner  of  IT 
functions  on  a  software- 
as-a-service  (SaaS)  basis. 

In  this  test,  we  looked  at  three  compa¬ 
nies  that  provide  WLAN  management 
services  in  the  cloud,  and  we  came 
away  impressed. 

Because  of  the  mission-critical 
nature  of  network  management  and 
the  fact  that  these  tools  have  tradi¬ 
tionally  lived  on-site,  there  is  some 
understandable  skepticism  toward 
cloud-based  WLAN  management.  But 
we  discovered  that  cloud-based  man¬ 
agement  offers  an  interesting  path  to 
reducing  cost,  improving  productivity 
and  offering  a  range  of  functions  that 
otherwise  would  involve  sizeable  capi¬ 
tal  investments. 

The  idea  of  moving  wireless  LAN 
management  to  the  cloud  has  proven 
so  interesting  that  a  number  of  ven¬ 
dors  are  now  delivering  these  services. 

We  tested  three  cloud-based  offerings: 
HiveManager  Online  from  Aerohive 
Networks,  D-Link’s  CloudCommand 
and  Meraki’s  Cloud  Controller. 

We  wanted  to  find  out  if  there  is  a 
compromise  in  capability  between 
cloud  and  traditional  WLAN  manage¬ 
ment  systems.  What  do  the  econom¬ 
ics  really  look  like?  And  could  cloud 
capability  literally  move  the  network  opera¬ 
tions  center  into  the  palm  of  one’s  hand? 

WLAN  management: 

From  nice-to-have  to  vital 

Traditionally,  WLAN  management  functions 
in  enterprise-class  products  have  been  imple¬ 
mented  either  in  a  WLAN  controller  or  in  a 
separate  appliance  or  server  (virtual  or  other¬ 
wise),  or  sometimes,  both.  Small-to-midsize 
business  products  usually  involve  configur¬ 
ing  firmware  in  each  access  point  involved, 
via  a  secure-HTTP  interface. 

An  effective  centralized  management 
console  should  be  capable  of  performing  all 
required  functions  across  the  entire  network, 
no  matter  how  large  or  distributed,  easily 
exporting  all  key  interfaces  and  intrinsic 
facilities. 

Moving  the  management  system  into  the 
cloud  isn’t  as  big  a  departure  as  it  might  ini¬ 
tially  seem.  Eliminating  the  need  for  local 
hardware  (usually  accessed  via  the  browser- 


based  client,  as  is  required  with  the  cloud) 
doesn’t  seem  like  it  should  be  a  big  deal,  and 
other  mission-critical  functions  have  gone 
the  Web/cloud/SaaS  route. 

So,  just  how  good  are  cloud-based  wireless- 
LAN  management  systems?  Is  there  any  com¬ 
promise  in  functionality?  Can  they  perform 
in  mission-critical  settings?  And  do  they  rep¬ 
resent  a  viable  strategic  direction  for  what  is, 
again,  a  vital  function? 

Test  parameters 

The  evaluation  process  in  this  case  was  a  bit 
different  from  the  typical  Network  World  test, 
in  that  no  throughput  testing,  functional 
verification  or  other  benchmarking  was 
performed.  Rather,  we  compared  features 
by  examining  the  capabilities  of  each  prod¬ 
uct,  using  a  live  installation.  The  results  are 
assembled  in  a  table,  which  appears  online  at 
tinyurl.com/5ux29rw. 

We  also  noted  what  we  liked  —  and  didn’t 
—  about  each  implementation.  The  table  is  not 


exhaustive  —  some  of  the  products 
reviewed  have  literally  hundreds  of 
functions.  But  we  wanted  to  make  sure 
that  an  enterprise  would  be  happy  with 
the  cloud  service  implementation  in 
each  case,  so  key  functions  are  listed. 

Each  vendor  was  asked  to  provide 
two  access  points,  the  credentials 
necessary  to  access  its  cloud-based 
management  service,  documenta¬ 
tion,  pricing  and  any  other  materials 
appropriate  to  a  product  review.  We 
approached  this  test  as  a  customer 
knowledgeable  in  WLANs,  but  unfa¬ 
miliar  with  the  details  of  each  product, 
with  the  goal  of  discovering  features 
and  capabilities  through  actual  use. 

Aerohive  Networks,  D-Link  and 
Meraki,  all  firms  with  a  significant 
presence  in  the  WLAN  space,  agreed 
to  participate.  All  of  the  cloud-based 
management  consoles  run  within 
a  browser,  and  for  this  test  we  used 
Internet  Explorer  8  running  on  Win¬ 
dows  XR 

The  test  strategy  was  simple:  For 
each  vendor,  we  pretended  to  be  nov¬ 
ice  customers  deploying  a  WLAN  for 
the  first  time.  We  followed  vendor  rec¬ 
ommendations  and  documentation  (as 
available)  closely,  noting  any  issues  or 
problems  as  we  went.  We  then  walked 
through  all  of  the  facilities  for  each 
console,  assembling  the  features  table 
and  noting  any  interesting  items. 

We  verified  all  Wi-Fi  settings  using 
Fluke  Networks’  AirCheck  handheld  Wi-Fi 
Tester,  which  was  a  very  convenient  tool.  We 
need  to  point  out  that  while  comparing  differ¬ 
ent  consoles  on  their  feature  set  makes  sense 
for  the  purposes  of  this  comparative  review, 
customers  should  not  make  buying  decisions 
based  on  features  alone. 

A  buying  decision  would  also  involve 
the  selection  of  access  points,  so  additional 
parameters  come  into  play.  While  we  believe 
that  management  functionality  is  rapidly 
becoming  a  key  differentiator  in  WLAN  offer¬ 
ings,  it  would  be  wrong  to  conclude  at  this 
point  that  any  purchasing  decision  would  be 
gated  solely  by  such. 

Overall  test  results 

Each  service  has  its  own  strategy  and  empha¬ 
sis,  but  we  found  no  degraded  performance 
and  concluded  that  there  is  no  reason,  based 
on  available  capabilities,  that  a  cloud-based 
WLAN  management  system  could  not  com¬ 
pletely  replace  a  local  implementation. 
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Product 

HiveManager 

Online 

CloudCommand 

Cloud  Controller 

Company 

Aerohive 

D-Link 

Meraki 

Price 

First  year,  $95  per 

AP;  three  years, 

$190  per  AP. 

First  year  included 
with  purchase  of  APs; 
subsequent  years,  $99 
per  year  per  AP. 

First  year,  $150  per 

AP;  three  years,  $300 
per  AP. 

Pros 

Easy  to  use,  enterprise- 
scale,  intuitive,  broad 
range  of  features. 

Simple,  effective,  best  for 
SMB  use. 

Easy  to  set  up,  strong 
security,  enterprise- 
grade. 

Cons 

Lack  of  a  traditional 
user  guide. 

Limited  features,  limited 
documentation. 

Documentation  could 

be  better. 

Each  product  was  easy  to  use  and  respon¬ 
sive,  and  while  functionality  varied  signifi¬ 
cantly,  all  could  handle  at  least  the  basic  func¬ 
tions  essential  in  enterprise-class  WLAN 
operations. 

All  of  these  services  are  priced  by  the  year 
on  a  per-access-point  basis,  with  pricing 
as  low  as  $4.75  per  month  per  access  point 
(Aerohive).  While  the  analysis  of  a  specific 
case  is  required  for  an  ultimate  determina¬ 
tion  of  value,  the  cost  differential  between 
a  local  implementation  and  using  a  cloud- 
based  service  could  be  significant.  We’ve 
seen  cases  where  the  cost  reduction  afforded 
by  the  cloud  actually  paid  for  the  remainder 
of  the  system  itself. 

Aerohive  HiveManager  Online 

Aerohive  suggests  getting  started  with  Hive- 
Manager  Online  (which  we,  like  Aerohive, 
will  refer  to  as  HMOL  below)  via  a  25-minute 
online  video  that  covers  all  the  basics. 

The  video  is  entertaining  and  informa¬ 
tive,  and  this  is  indeed  a  great  place  to  get 
rolling  with  HMOL.  It’s  easy  to  skip  over  the 
parts  that  don’t  apply  to  a  particular  situa¬ 
tion.  We  also  reviewed  a  very  complete  set  of 
documentation,  which  included  a  Reviewer’s 
Guide  that  is  sent  as  part  of  a  customer  evalu¬ 
ation.  Oddly,  though,  there  is  no  manual. 

Two  of  Aerohive’s  HiveAP  320  access 
points  were  connected  to  our  LAN,  and  we 
fired  up  the  HMOL  console.  The  required  cre¬ 
dentials  are  provided  via  email.  But  it’s  basi¬ 
cally  plug  in  the  access  points  and  log  in  to 
HMOL.  A  little  parameter  setting  (password, 
time  zone,  etc.)  and  you’re  ready  to  go. 

HMOL  provides  exactly  the  same  func¬ 
tionality  as  HiveManager  running  on  a  local 
server  or  appliance  and,  as  such,  is  designed 
to  manage  large-scale,  enterprise-class 
deployments. 

HMOL  comes  in  Express  Mode  and  Enter¬ 
prise  Mode,  which  can  be  thought  of  as  begin¬ 
ner  and  advanced.  Express  Mode,  despite  its 
name,  offers  a  very  robust  set  of  functions 
and  that’s  the  place  to  start. 

We  made  a  cursory  pass  through  Enter¬ 
prise  Mode,  noting  that  settings  applied 
in  Express  Mode  carry  over  to  Enterprise 
Mode,  but  not  the  reverse  —  so  be  warned 
that  switching  back  isn’t  an  easy  task.  And 
the  differences  between  the  two  were  fairly 
minor  regardless. 

The  most  important  function  in  a  WLAN 
management  system  is  to  configure  access 
points,  SSIDs  and  related  security  items. 
This  is  all  very  easy  and  intuitive  in  HMOL 
Express,  reminiscent  of  “wizard”  features 


that  we’ve  seen  over  the  years  in  a  wide  vari¬ 
ety  of  products. 

Everything  is  easy,  but  it’s  possible  to 
dig  into  very  low-level  settings  if  you  wish, 
including  setting  access  point  transmit  power, 
for  example.  Once  you’re  done,  upload  the 
settings,  reboot  the  access  points  and  you’re 
on  the  air.  The  Home  screen  in  HMOL  pro¬ 
vides  an  overview  of  key  operational  status. 
As  with  all  of  the  products  reviewed  here,  our 
No.  1  wish  would  be  the  ability  to  customize 
this  page  to  our  specific  preferences. 

HMOL  also  excels  at  monitoring,  with  a 
wide  variety  of  data  available,  including  RF 
interference,  radio  channel,  transmit  power 
and  noise  floor,  detailed  event  logs  and  a  lot 
more.  It’s  possible  to  upload  floor  plans  and 
maps  for  complete  documentation  as  well  as 
operator  visualization  of  access  point  loca¬ 
tions.  And,  while  all  of  this  is  very  easy  to  use, 
the  online  help  function  is  detailed  and  com¬ 
plete,  at  least  partially  compensating  for  the 
lack  of  a  traditional  user’s  guide. 

Overall,  we  were  impressed  with  the  range 
and  scope  of  function  and,  at  the  same  time, 
how  simple  and  intuitive  the  user  interface 
is  —  one  of  the  best  we’ve  seen. 

D-Link  CloudCommand 

While  D-Link  is  best  known  as  a  supplier  of 
residential-class  networking  components, 
the  company  has  a  substantial  presence  in 
the  SMB  space.  Its  new  DAP-2555  AirPre- 
mier  N  AP  $399  list  is  a  dual-band  product 
designed  for  business  use  and  managed  by 
CloudCommand,  a  cloud-based  manage¬ 
ment  console  from  PowerCloud  Systems. 
PowerCloud  is  an  OEM  SaaS  company,  and 
CloudCommand  is  also  available  from  a  few 
other  companies. 


Setup  is  very  easy — just  plug  in  the  access 
points,  go  to  the  D-Link  CloudCommand 
website,  register  with  contact  info,  enter 
UICs  for  each  access  point  (on  a  label  on  the 
bottom  of  each),  enter  SSID,  set  encryption 
options  and  guest  access  preferences,  name 
the  access  points  and  enter  their  location, 
review  everything  and  press  enter  —  that’s 
literally  it.  The  CloudCommand  console  is 
quite  simple,  with  just  a  few  tabs  for  a  Dash¬ 
board  snapshot  view  of  settings,  status  and 
activity. 

An  interesting  security  option  is  to  aug¬ 
ment  WPA2  with  what  PowerCloud  calls 
Individual  Device  Authorization  (IDA),  a 
variant  on  the  per-user  key  theme,  in  this  case 
delivering  credentials  out-of-band  via  text 
messaging.  Individual  tokens  are  entered  via 
the  browser,  and  can  be  individually  revoked 
as  required. 

We  did  notice  that  one  of  our  test  access 
points  would  not  come  online,  and  this  situ¬ 
ation,  likely  a  defective  unit,  was  correctly 
identified  by  CloudCommand.  D-Link  will 
replace  any  defective  access  points,  of  course, 
under  warranty. 

Somewhat  curious,  a  review  of  a  pre¬ 
release  of  the  user  manual  for  the  DAP-2555 
shows  a  very  robust  set  of  functionality,  but 
little  of  this  is  currently  exported  via  Cloud¬ 
Command  —  and  the  option  to  enable  full 
configurability  and  control  is  missing  from 
the  current  firmware. 

This  means  that  it  will  currently  be  neces¬ 
sary  to  log  in  to  each  access  point  for  detailed 
configuration  —  exactly  what  a  centralized 
management  console  is  designed  to  avoid. 
Again,  D-Link  is  really  just  getting  started 
here,  so  we  expect  that  this  mismatch  will  be 
corrected. 
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Overall,  CloudCoramand  is  a  simple  but 
effective  management  console  that  would  be 
especially  at  home  in  smaller  installations. 
And  we  anticipate  that  PowerCloud  will 
be  adding  new  features  on  a  regular  basis, 
although  the  big  question  is  how  quickly  its 
OEMs  will  roll  out  new  releases.  The  only 
other  real  issue  relates  to  documentation 
—  there  isn’t  much  besides  an  FAQ  file,  and 
there’s  only  very  limited  context-sensitive 
help  with  no  explanation  of  many  items  and 
options.  We  expect,  based  on  conversations 
with  company  representatives,  that  this  over¬ 
sight  will  be  corrected  shortly. 

Meraki  Cloud  Controller 

Meraki  was  one  of  the  firms  that  originated 
the  concept  of  cloud-based  deployment,  and 
all  of  its  access  point  products  are  provi¬ 
sioned  via  its  cloud-based  Cloud  Controller 
service.  Setup  is  a  piece  of  cake:  Via  Meraki’s 
secure  site,  create  an  account,  enter  your 
order  number  (sent  by  Meraki  via  a  confir¬ 
mation  email  at  time  of  purchase)  and  you’re 
in.  The  remaining  configuration  of  security 
and  related  items  is  trivial.  Interestingly, 
Meraki  allows  users  to  enter  the  location  of 
access  points  on  a  map  for  quick  reference 
later,  a  feature  that  could  be  very  useful  in 
widely  distributed  networks. 

In  fact,  though,  the  entire  console  is  very 
easy  to  use,  with  context-sensitive  help  and 
a  crisp,  logical  layout.  It’s  easy  to  find  what 
you’re  looking  for,  but  documentation  could 
be  better.  Selecting  the  help  tab  ultimately 
results  in  a  search  that  may  produce  a  lot  of 
irrelevant  information  —  and  it  would  be 
great  if  help  popped  up  in  a  separate  window 
(as  is  the  case  with  Aerohive)  so  you  could  see 
the  help  and  the  screen  you’re  working  with  at 
the  same  time.  There  is,  however,  a  very  com¬ 
plete  manual  available  for  download,  along 
with  many  other  useful  documents. 

Meraki  includes  a  clever  and  easy-to-use 
facility  to  set  up  custom  splash  pages,  which 
can  include  authentication  (username/pass¬ 
word)  beyond  802.11’s  authentication.  The 
product  is  exceptionally  strong  in  security 
(VPNs,  RADIUS  and  more),  with  numerous 
options  for  managing  traffic  flow  and  QoS,  and 
even  checking  for  virus  protection  on  clients. 
The  company  also  includes  a  way  for  users  to 
“make  a  wish”  for  new  features  and  improve¬ 
ments,  an  interesting  idea.  Our  biggest  wish, 
by  the  way,  for  all  of  these  products  is  the 
ability  to  customize  the  user  interface  so  as  to 
ignore  options  we  don’t  need  and  to  customize 
the  monitoring  view  for  our  preferences. 

Meraki  has  steadily  expanded  its  product 
offering  with  a  line  of  routers,  VPNs,  Wi-Fi 
Hotzones  and  even  systems  management 


(clients  and  servers),  all  managed  from  the 
cloud.  As  we  saw  with  Aerohive,  this  expan¬ 
sion  of  the  scope  of  cloud-based  management 
really  shows  the  power  of  the  cloud-services 
concept  when  put  into  practice,  and  points 
to  what  could  indeed  become  a  cloud-centric 
future  for  all  of  network  management. 

Analysis  and  conclusions 

All  of  the  products  here  easily  handle  the 
basics  of  multi  access  point  wireless  network 
management  —  adding  and  configuring 
access  points,  monitoring  for  exceptions  and 
reporting,  and  doing  all  of  this  reasonably 
intuitively.  While  the  Aerohive  and  Meraki 
products  are  quite  robust,  even  smaller 
installations  looking  for  simplicity  will  be 
happy  with  any  of  the  products  —  respon¬ 
siveness  was  uniformly  excellent  in  all  cases, 
so  a  local  server  has  no  real  advantage  in  this 
dimension. 

Of  course,  your  choice  of  management  ser¬ 
vice,  with  the  exception  of  CloudCommand, 
will  be  tied  to  specific  hardware,  so  the  man¬ 
agement  console  alone  is  again  unlikely  to  be 
the  key  differentiator  here  —  but  we  believe 
that  eventually  management  will  become  a 
key  if  not  a  gating  item  in  system  selection. 

Cloud  is  indeed  reminiscent  of  timeshar¬ 
ing,  harkening  back  to  the  era  of  mainframes 
and  terminals.  But  we’re  clearly  today  dealing 
with  more  horsepower  in  networks,  servers 
and  software. 

And  the  real  issue  is  capabilities  —  ser¬ 
vices  deployed  cost-effectively,  reliably  and 
location-independently  —  not  hardware. 
It’s  about  the  economics  of  the  contempo¬ 
rary  organization  —  minimizing  capital  and 
operating  expense  without  compromising 
functionality  —  not  having  title  to  all  of  the 
required  pieces. 

Thus  the  shift:  WLAN  management  is 
about  fundamentally  location-independent 
services,  not  products.  As  we’ve  seen  in  the 
sampling  explored  here,  the  range  of  function 
is  broad,  the  services  responsive  and  simple  to 
use,  and  each  is  clearly  effective  and  worthy  of 
further  consideration. 

The  biggest  argument  against  WLAN  man¬ 
agement  in  the  cloud  is  with  respect  to  reliabil¬ 
ity:  What  if  your  connection  to  the  Internet 
goes  down?  What  if  the  ISP  or  management 
services  provider  suffers  an  outage?  In  the 
event  of  such  a  failure,  the  lack  of  WLAN  man¬ 
agement  capabilities  is  likely  to  be  the  least  of 
your  worries,  as  most  other  IT  operations  are 
also  likely  to  be  affected.  And  regardless,  this 
challenge  is  addressed  in  the  usual  manner, 
through  business  operations  continuity  plan¬ 
ning  and  related  IT  best  practices. 

With  respect  to  the  suppliers  of  WLAN 


management  services  themselves,  we  asked 
the  question  of  each  supplier:  Are  your  opera¬ 
tions  distributed  enough  and  fault-tolerant 
enough  to  withstand  even  a  challenge  as  great 
as  that  represented  by  the  recent  earthquake 
and  tsunami  in  Japan?  Each  responded  posi¬ 
tively,  with  D-Link,  for  example,  noting  that 
CloudCommand  is  hosted  on  Amazon’s  EC2 
cloud  service.  Of  course,  Amazon  recently 
suffered  an  outage,  but  we  are  again  talking 
about  WLAN  management,  and  it’s  unlikely 
that  a  temporary  outage  in  management 
services  will  have  an  adverse  effect  on  the 
enterprise. 

Where  do  we  go  from  here?  It’s  pretty  clear 
that  our  initial  assumptions  about  no  com¬ 
promise  in  functionality  and  cost-effective 
deployment  were  correct.  We’re  also  seeing 
announcements  from  such  firms  as  AirTight, 
which  recently  augmented  its  cloud-based 
WLAN  security  and  assurance  capabilities 
with  access  also  managed  in  the  cloud.  (Air- 
Tight  was  invited  to  participate  in  this  test  but 
declined,  citing  scheduling  issues.) 

And  WaveLink  recently  announced  a 
cloud-based  version  of  its  well-known  Ava¬ 
lanche  platform,  this  one  aimed  at  mobile 
device  management.  (WaveLink  has  also 
hinted  at  WLAN  management  in  the  cloud 
for  the  future.) 

In  addition,  Enterasys  enables  its  resellers 
with  cloud-based  wired  and  WLAN  manage¬ 
ment  capabilities  in  the  Network  Manage¬ 
ment  Suite,  and  this  angle  is  interesting,  with 
the  enabling  of  multi-tenancy  an  intriguing 
possibility  for  resellers  everywhere.  This  shift 
in  business  models  is  almost  as  interesting  as 
the  technology,  and  we  think  both  resellers 
and  end  users  will  look  at  cloud-based  man¬ 
agement  as  a  viable  if  not  the  preferable  option 
with  a  bit  more  exposure. 

Indeed,  it  would  be  hard  to  imagine  any 
showstopper  with  respect  to  cloud-based 
WLAN  management.  And  it’s  easy  to  see 
how  this  model  extends  naturally  and  trans¬ 
parently  to  wired-LAN  management  as  well. 
One  need  look  no  further  than  Meraki’s  new 
Systems  Manager  service  to  see  how  the  cloud 
can  extend  into  most  if  not  all  enterprise  IT 
management  functions.  ■ 

Mathias  is  a  principal  at  Farpoint  Group,  a 
wireless  advisory  firm  in  Ashland,  Mass.  He 
can  be  reached  at  craig@farpointgroup.com. 


©  Go  online  for  a  table  showing  the 
feature  set  for  each  WLAN  management 
service,  http://tinyurl.com/5ux29rw 
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Fluctuating  computing  demand  is  a  problem.  Unless  you  work  with  Qwest.  With 


our  integrated  cloud  computing  services  you  get  the  scalable  computing  platform 


your  business  needs  and  access  to  our  next-generation  network  built  right  in.  Our 


highly  flexible  approach  means  as  your  business  grows  your  network  can  keep  up 


The  answer  to  this  problem  is  your  password  at  ultimateproblemsolver.com 
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Qwest  is  becoming  CenturyLink 


CLEAR  CHOICE  TEST:  CISCO  CATALYST  4500  SWITCH 

Cisco  powers  up  Catalyst  4500 

New  UPoE  spec  supplies  60  watts  per  switch  port 


BYDAVIDNEWMAN 

isco  doesn’t  just  want  to  sell  you 
switches.  It  also  wants  to  be  your 
power  distribution  vendor. 

New  line  cards  for  the  Catalyst 
4SOO  switches  support  Univer¬ 
sal  Power  over  Ethernet  (UPoE),  a  means 
of  supplying  up  to  60  watts  per  switch  port. 
That’s  enough  to  power  all  devices  in  a  cubicle, 
including  a  23-inch  monitor,  thin-client  com¬ 
puter  and  webcam-equipped  IP  phone. 

We  lit  up  all  that  gear  in  this  exclusive  Clear 
Choice  Test,  and  also  examined  performance 
and  features  of  a  new  Supervisor  7-E  manage¬ 
ment  module  and  an  energy-efficient  Ether¬ 
net  line  card  that  drops  power  consumption 
when  idle.  These  transformed  the  venerable 
Catalyst  4500  from  modular  Ethernet  switch 
to  master  power-distribution  system. 

UPoE  differs  from  previous  versions  of  PoE 
in  that  it  uses  all  four  pairs  of  an  Ethernet  cable 
to  supply  power,  doubling  the  wattage  avail¬ 
able  to  UPoE-capable  devices.  Cisco’s  imple¬ 
mentation  is  proprietary,  but  the  vendor  says 
it  will  bring  this  variant  of  the  existing  802.3at 
specification  to  the  IEEE  for  standardization. 


supplied  by  UPoE.  For 
example,  this  article 
was  written  and  edited 
on  an  a  Apple  MacBook  Pro  with  an  85-watt 
power  supply  and  a  Dell  OptiPlex  desktop 
that  can  draw  up  to  590  watts.  Even  though 
actual  power  draw  is  usually  far  lower,  60 
watts  sometimes  isn’t  enough  for  either  type 
of  machine. 

Net  management  ABCs 

A  common  PoE  misperception  is  that  adding 


wattage  means  adding  heat  in  the  wiring  closet. 
PoE  is  a  method  of  power  distribution,  with 
the  switch  acting  merely  as  a  pass-through 
system.  Most  heat  dissipation  occurs  at  the 
powered  device,  not  at  the  power-supplying 
equipment  (in  this  case,  the  switch). 

In  contrast,  another  IEEE  spec  called 
energy-efficient  Ethernet  (EEE)  specifically 
aims  to  reduce  power  at  the  switch  port  dur¬ 
ing  idle  periods.  In  a  test  of  new  EEE-capable 
line  cards  involving  384  copper  Gigabit 
Ethernet  ports,  we  saw  power  consumption 


Cisco  bolsters  switches 

The  new  WS-X4748-UPoE+E  line  card  has  48 
Gigabit  Ethernet  ports,  24  of  which  can  sup¬ 
ply  UPoE  power.  We  verified  this  by  using 
Sifos  Technologies’  PowerSync  analyzer  to 
draw  a  full  60-watt  load  on  24  ports  during 
all  performance  tests.  UPoE  had  no  impact 
on  system  throughput  or  latency,  as  mea¬ 
sured  with  a  Spirent  TestCenter  analyzer. 

We  also  verified  UPoE  functionality  by 
plugging  in  devices  typically  found  in  an 
office  cubicle.  For  the  phone  and  computer, 
we  used  a  Cisco  9971  IP  phone 
equipped  with  a  webcam  and 
embedded  CVXC-2111C  virtual 
desktop  client.  The  latter  is  a  thin- 
client  computer  that  we  used  with 
VMware’s  Virtual  Desktop  Infra¬ 
structure  (VDI).  We  also  attached 
a  23-inch  Samsung  SyncMaster 
NC220  monitor  over  UPoE. 

Finally,  we  attached  BT  Group’s 
ITS.Netrix,  a  phone  intended  mainly  for  stock 
traders  with  up  to  20  lines,  four  speakers  and 
a  video  display.  All  these  devices  operated  suc¬ 
cessfully  using  UPoE. 

Two  kinds  of  devices  that  won’t  work  with 
UPoE,  at  least  for  now,  are  conventional  note¬ 
book  and  desktop  PCs.  While  they’re  getting 
more  efficient,  most  laptop  and  desktop  PCs 
currently  draw  well  more  than  the  60  watts 


Catalyst  4500  delivers  low  latency 

We  blasted  various  frame  sizes  and  types  of  traffic  through  all  384  Gigabit  Ethernet 
ports  on  the  Catalyst  4500  and  found  that  the  switch  consistently  delivered  low  latency. 
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fall  from  1,462  watts  to  1,278  watts  when  we 
enabled  EEE,  a  12.6%  power  savings. 

Cisco  also  demonstrated  an  alpha  version 
of  a  protocol  analyzer  running  on  the  Super¬ 
visor  7-E  module.  Network  engineers  familiar 
with  Wireshark  and  tcpdump  will  be  right  at 
home  with  the  analyzer,  which  can  save  cap¬ 
tures  to  a  file  or  present  them  in  format  similar 
to  a  Wireshark  decode  in  a  terminal  window. 
This  early  version  captured  only  100  packets, 
but  Cisco  says  a  version  slated  for  release  this 
fall  will  be  limited  only  by  buffer  memory  on 
the  supervisor  card.  Like  Wireshark,  the  ana¬ 
lyzer  uses  capture  and  display  filters  to  zero 
in  on  interesting  packets. 

The  analyzer  can  be  used  in  conjunction 
with  Flexible  NetFlow  (FNF)  and  Embed¬ 
ded  Event  Manager  (EEM)  features  of  the 
supervisor  card  to  take  action  in  response 
to  network  conditions.  For  example,  FNF 
can  identify  a  SYN  flood  attack,  and  a  simple 
EEM  script  could  then  shut  down  the  affected 
switch  port  or  throttle  traffic  rates.  Similarly, 
the  analyzer  could  start  a  capture  of  any 
unknown  protocol. 

FNF  can  track  more  than  70,000  concur¬ 
rent  flows  on  the  Supervisor  7-E  module.  We 
verified  this  by  enabling  FNF  during  all  per¬ 
formance  tests,  and  saw  FNF  tracking  73,536 
of  the  147,072  flows  we  generated. 

Performance  is  job  one 

Delivering  high  throughput  and  low  latency 
is  job  one  for  any  Ethernet  switch,  and  accord¬ 
ingly  we  devoted  most  testing  in  this  area.  We 
measured  throughput  and  latency  with  four 
test  cases:  Layer  2  unicast,  Layer  3  unicast, 
with  separate  IPv4  and  IPv6  tests;  and  Layer 
2  multicast.  We  also  measured  media  access 
control  address  capacity  and  the  time  needed 
to  upgrade  and  downgrade  software. 

Unlike  many  modular  switches,  the  Catalyst 


,  Network  World  gratefully  acknowledges 
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Product 

Catalyst  4500 

Company 

Cisco 

Price 

Supervisor  7-E  module,  $19,995;  UPoE 
line  card,  $9,500;  EEE  line  card,  $7,000; 
10-slot  system  as  tested,  $133,975. 

Pros 

60-watt  PoE  per  port;  low  latency; 
solid  management  tools. 

Cons 

Switch  fabric  is  blocking  with  short  frames. 

4500  uses  a  centralized  switch  fabric,  which 
means  all  flows  have  the  same  latency 
regardless  of  source  and  destination  port. 
Many  newer  switches  use  distributed  archi¬ 
tectures  that  exhibit  low  latency  between 
ports  on  a  single  switch  module  but  higher 
latency  when  crossing  the  switch  backplane. 
By  measuring  the  latency  of  every  frame  in 
every  flow  using  the  Spirent  TestCenter  traf¬ 
fic  generator/analyzer,  we  verified  uniform 
latency  across  all  flows. 

Average  and  maximum  latency  was 
remarkably  consistent  across  test  cases.  With 
short  frames  offered  in  a  fully  meshed  pattern 
among  all  384  ports,  the  switch  held  up  traffic 
for  an  average  of  around  6.5  microseconds  for 
unicast  traffic.  With  multicast  traffic,  tested 
with  383  ports  all  subscribed  to  the  same 
1,000  multicast  groups,  average  latency  was 
7.9  microseconds. 

There  was  little  variation  in  delay  across 
different  unicast  test  cases,  indicating  that 
the  switch  processes  all  flows  the  same  way 
in  hardware.  Perhaps  more  significantly, 
latency  is  relatively  low  for  a  large  Gigabit 
Ethernet  modular  switch. 

While  the  Catalyst  4500  doesn’t  delay  traf¬ 
fic  for  long,  its  fabric  is  blocking  under  some 
conditions.  The  new  Supervisor  7-E  card,  like 
the  6-E  before  it,  has  a  processing  limit  of  250 
million  frames  per  second,  and  that  in  turn 
limits  non-blocking  performance  to  167  out 
of  a  possible  384  Gigabit  Ethernet  ports. 

With  all  384  ports  fully  loaded,  system 
throughput  is  only  around  43.7%  of  Gigabit 
Ethernet  line  rate  when  handing  64-byte 
frames.  With  multicast  traffic,  the  limit  is 
lower  still,  around  38.5%  of  line  rate  with 
64-byte  frames. 

Granted,  no  production  network  would 
ever  see  only  short  frames  on  all  384  ports 
of  any  switch.  But  64-byte  frames  are  very 
common  (think  TCP  acknowledgments),  and 
every  dropped  frame  degrades  application 
performance.  Given  that  wire-speed  “mer¬ 
chant  silicon”  ASICs  have  been  around  for  10 


years  or  so,  it’s  always  surprising  to  see  any 
new  switch  with  blocking  performance. 

We  also  measured  throughput  for  256-, 
1,518-  and  9,216-byte  jumbo  frames.  In  those 
cases,  the  Catalyst  4500  forwards  traffic  at 
line  rate  on  all  384  Gigabit  Ethernet  ports 
both  for  unicast  and  multicast  traffic. 

The  Supervisor  7-E  card  also  supports  up 
to  96 10G  Ethernet  ports,  increased  from  30 
ports  in  the  6-E,  but  we  did  not  test  these. 

Another  key  acronym  supported  by  the 
Catalyst  4500  is  ISSU,  or  in-service  software 
upgrade.  This  refers  to  the  ability  to  upgrade 
and  downgrade  software  with  almost  no  dis¬ 
ruption  to  users’  control-  or  data-plane  traf¬ 
fic.  We  tested  this  both  to  upgrade  and  down¬ 
grade  software  images  while  concurrently 
blasting  all  ports  with  line-rate  traffic.  In  both 
cases,  the  cutover  time  was  around  30.5msec, 
well  below  Cisco’s  50msec  claim. 

The  final  test  determined  MAC  address 
capacity,  the  maximum  number  of  addresses 
the  switch  is  capable  of  learning. 

Virtualization  can  easily  drive  address 
counts  into  the  tens  of  thousands.  In  our 
tests,  the  Catalyst  4500  learned  55,000 
MAC  addresses.  That’s  probably  more  than 
enough  for  most  enterprise  data  centers  using 
virtualization. 

As  usual  with  Cisco  switches,  the  Catalyst 
4500  also  supports  a  long  list  of  other  switch¬ 
ing,  routing,  security  and  management  fea¬ 
tures.  For  network  managers  who’ve  long 
considered  switching  a  commodity  technol¬ 
ogy,  the  new  power-management  capabili¬ 
ties  represent  very  interesting  additions  to 
the  features  list.  Suddenly,  the  venerable 
Catalyst  4500  is  no  longer  “just”  an  Ethernet 
switch,  but  a  new  way  to  distribute  and  man¬ 
age  power  as  well.  ■ 

Newman  is  a  member  of  the  Network  World 
Lab  Alliance  and  president  of  Network  Test, 
an  independent  test  lab  and  engineering 
services  consultancy.  He  can  be  reached  at 
dnewman@networktest.com. 
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The  horror  of  blue  LEDs! 


MODERN  ELECTRONIC  products  are 
amazing.  If  you  cast  your  mind  back  to 
when  you  were  young  (some  of  us  need 
more  casting  than  others),  the  fact  that  any  of  these  things  exist  at  all  is 
just  short  of  miraculous. 

But  along  with  this  cornucopia  of  technical  delights  come  some  seri¬ 
ous  irritations.  For  example:  blue  LEDs. 

I  hate  blue  LEDs.  It’s  not  the  color  —  I  have  no  aesthetic  problem 
with  the  color  blue  —  it’s  the  brightness.  I  have  pieces  of  equipment 
with  blue  LEDs  so  bright,  if  I  turn  out  the  lights  I  can  still  read  a  book. 

In  my  bedroom  there’s  a  blazing  blue  LED  on  my  DVD  player  that 
sears  your  eyeballs  if  you  look  straight  at  it  and  another  in  an  after- 
market  power  adapter  (or,  as  I  prefer  to  call  them,  “wall  warts”)  for  an 
iPod  that  bathes  the  entire  bedroom  in  an  eerie  glow.  And  walk  into  my 
office  —  there  are  blue  LEDs  in  most  gadgets  and/or  their  wall  warts.  It 
seems  that  everything  now  has  a  damned  blue  LED! 

In  the  kitchen,  there’s  even  a  blue  LED  in  the  coffee  maker!  Enough, 
product  designers!  Enough!  It’s  gotten  so  bad  I’ve  started  putting 
pieces  of  tape  over  the  LEDs.  Couldn’t  we  have  a  change  of  pace?  Maybe 
a  nice  dull,  friendly  green  LED  or  a  cheery,  muted  cherry  red  one?  Is 
that  too  much  to  ask? 

While  I’m  on  the  topic,  wall  warts!  They  breed  like  metal  coat  hang¬ 
ers!  And  they’re  all  different  with  the  majority  being  great,  lumpen 
things  that  take  up  as  much  socket  real  estate  as  possible. 

And  why  can’t  manufacturers  label  the  damn  things!  Come  on  guys, 
it’s  easy.  Just  a  little  sticker  on  the  side  of  the  adapter  would  make  every¬ 
one’s  life  so  much  easier. 


I  have  this  huge  box  full  of  wall  warts  which  have  accumulated  over 
the  last  four  or  five  years.  Given  there  are  no  working  devices  without 
wall  warts  and  there  are  so  many  in  the  box  —  at  least  100,  which  has 
to  be  more  than  the  all  of  the  discarded  gear  —  the  only  reasonable 
conclusion  is  that  they  do,  in  fact,  breed. 

And  you  know  what  happens:  Should  you  fail  to  label  your  wall 
warts  and  then  be  so  careless  as  to  allow  a  piece  of  gear  and  its  adapter 
to  become  separated  for  more  than  about  10  seconds,  you’ll  find  your¬ 
self  in  an  episode  of  “Mission  Impossible.”  Something  like  your  phone 
will  be  dying  and  you’ll  be  looking  for  the  one  adapter  with  that  weird, 
almost  but  not  quite  mini-USB-style  connector  that  is,  like  every  other 
connector  you  can  lay  your  hands  on,  matte  black. 

Of  course,  if  you  can  find  the  right  adapter,  you  can  never  figure  out 
which  way  the  connector  should  be  inserted.  I  have  a  cellphone  where, 
unless  you  get  the  insertion  angle  just  right,  the  connector  won’t  go 
in.  So  I  always  wind  up  turning  the  connector  over  and  trying  again 
but  now  it  certainly  won’t  go  in  because  that’s  the  wrong  way  up!  So 
I  turn  it  over  one  more  time  and  wriggle  the  connector  into  the  socket 
and  it  turns  into  an  exercise  of  grind  to  fit.  Pah!  What  ever  happened 
to  design?! 

So,  I’d  like  to  ask  for  your  nominations  for  equipment  with  really 
annoying  details  whether  it  be  blinding  LEDs,  dorky  wall  warts,  lack 
of  labels  or  poorly  designed  connectors.  Perhaps  we’ll  award  a  prize ... 
I’m  thinking  my  box  of  unlabeled  adapters  would  be  perfect.  ■ 

Gibbs  is  geared  up  in  Ventura,  Calif.  Your  nominations  to  backspin@ 
gibbs.com. 
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Monkey  business  with  a  camera 


NEVER  MIND  the  infinite  monkey  theorem 
reproducing  Shakespeare,  what  we  were 
asked  to  ponder  last  week  is  a  lone  black 
macaque  commandeering  a  photographer’s  unattended  camera  to 
shoot  a  few  amusing  pictures  ...  and  touch  off  a  copyright  debate  in 
the  process. 

Copyright  issues  certainly  have  become  more  complex  in  the  digital 
age.  In  this  instance,  professional  photographer  David  Slater  was  at 
the  center  of  the  monkey  business  —  along  with  the  monkey,  of  course 
—  while  on  a  nature  shoot  in  Indonesia. 

At  the  center  of  the  copyright  debate  was  the  technology  blog  Tech- 
dirt,  which  claimed  that  its  publication  of  the  photos  was  covered  by 
fair  use  even  if  Slater  or  his  photo  agency  —  or  the  monkey  —  can  claim 
copyright,  which  Techdirt  maintained  that  they  cannot. 

The  photo  agency  sent  Techdirt  a  letter  asking  that  the  images  be 
removed  from  its  website.  Techdirt  told  the  agency  to  go  pound  sand. 

Great  fun. 

While  possessing  no  legal  training,  I  am  paid  to  have  opinions,  so 
here  are  a  few  of  mine: 

Putting  copyright  law  aside,  these  photographs  clearly  belong  to 
Slater  in  the  generally  accepted  sense  of  belonging.  The  camera  is  his. 
He  brought  it  to  Indonesia.  He  placed  it  —  however  unintentionally  — 
so  as  to  be  accessed  by  the  monkey.  And  he  retrieved  the  photos  from 
his  camera  once  he  regained  possession. 

Absent  any  single  aspect  of  Slater’s  participation,  the  photos  are  not 
with  us  today;  in  other  words,  if  a  monkey  takes  a  picture  in  the  forest 
and  there’s  no  one  there  to  see  it,  they  might  as  well  not  exist. 


Techdirt  is  probably  on  firm  ground  when  asserting  that  its  use  of 
the  photos  in  a  blog  post  examining  the  copyright  issues  constitutes 
fair  use. 

However,  those  online  outlets  that  used  the  pictures  because  they 
are  cute  —  and  there  were  many  —  have  much  less  of  a  case  if  the  pic¬ 
tures  are  copyrighted. 

And,  if  the  photos  are  indeed  not  covered  by  copyright  they  should 
be  and  those  rights  should  belong  to  Slater.  He’s  a  professional  and  the 
pictures  are  a  result  of  his  work.  The  fact  that  a  monkey  helped  should 
not  be  determinative,  in  part  because  I  cannot  imagine  that  lawmakers 
ever  contemplated  that  particular  what-if  scenario. 

But  I’m  fine  if  it  turns  out  that  copyright  belongs  to  the  monkey. 

Upcoming  Jobs  bio  renamed 

The  authorized  biography  of  Steve  Jobs  that  isn’t  due  to  be  published 
until  next  year  already  has  a  new  name. 

Fortune  reports:  “The  old  one,  ‘iSteve:  The  Book  of  Jobs,’  was  chosen 
by  Simon  &  Schuster’s  publicity  department.  The  author,  Walter  Isaac¬ 
son,  was  never  quite  sure  about  it.  His  wife  and  daughter,  however, 
were.  They  thought  it  was  too  cutesy.” 

Cutesy  is  one  word  for  it.  Pretentious  is  another. 

Whatever  your  view  of  the  original,  it  will  now  be  replaced  by  this 
much  simpler  title:  “Steve  Jobs,”  by  Walter  Isaacson. 

I  haven’t  seen  the  cover  art,  but  would  presume  that  the  first  name  is 
in  larger  type  than  the  second.  ■ 

Have  a  better  idea?  The  address  is  buzz@nww.com. 
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